Iran-Linked APT groups target energy, industrial sectors with ZeroCleare Wiper

Pierluigi Paganini December 05, 2019

Experts spotted a piece of malware dubbed ZeroCleare that has been used in highly targeted attacks aimed at energy and industrial organizations in the Middle East.

Security experts at IBM X-Force found a piece of malware dubbed ZeroCleare (the name ZeroCleare comes from the path in the binary file) that has been used in highly targeted attacks aimed at energy and industrial organizations in the Middle East.

ZeroCleare is classified as a destructive wiper that experts linked to Iran-linked APT groups, according to the experts, the campaign they have monitored may have been the first in which the malware was involved.

“To date, X-Force IRIS has not found any previous reporting on the ZeroCleare wiper, its indicators or elements observed in this campaign. It is possible that it is a recently developed malware and that the campaign we analyzed is one of the first to use this version.” reads the analysis published by IBM X-Force. we suspect Iran-based nation-state adversaries were involved to develop and deploy this new wiper.”

ZeroCleare has some similarities with the infamous Shamoon malware, it overwrites the master boot record (MBR) and disk partitions of Windows-based systems using the legitimate EldoS RawDisk tool.

The wiper leverages vulnerable driver and malicious PowerShell/Batch scripts to bypass Windows controls. ZeroCleare was spread to numerous devices on the affected network, with the intent of causing several damages to the target organization.

ZeroCleare infection

Anyway, IBM X-Force experts believe that ZeroCleare doesn’t belong to the same Shamoon malware family.

The experts believe that the ZeroCleare attacks are not opportunistic, the malicious code was developed by the ITG13 threat group, also known as APT34/OilRig. The researchers believe that the development of the malware also involved a second Iran-linked APT group, likely based out of Iran.

The ZeroCleare wiper can attack both 32-bit and 64-bit Windows systems.

“The general flow of events on 64-bit machines includes using a vulnerable, signed driver and then exploiting it on the target device to allow ZeroCleare to bypass the Windows hardware abstraction layer and avoid some operating system safeguards that prevent unsigned drivers from running on 64-bit machines.” continues the analysis.

“This workaround has likely been used because 64-bit Windows-based devices are protected with Driver Signature Enforcement (DSE).”

The attack infrastructure overlaps the ones used in past attacks by Iran- groups believed to be operating out of Iran.

Researchers noticed that one of the IP addresses used to access compromised network accounts in mid-2019 was 194.187.249[.]103, which is adjacent to another IP address, 194.187.249[.]102. The 194.187.249[.]102 IP address was involved several months prior to the attack by the threat actor Hive0081 (aka xHunt).

The infrastructure set up by one of these Iranian groups was allegedly hacked by the Russia-linked Turla APT, but X-Force experts do not believe that the Russian group was behind the ZeroCleare attacks.

“Looking at the geographical region hit by the ZeroCleare malware, it is not the first time the Middle East has seen destructive attacks target its energy sector. In addition to underpinning the economies of several Gulf nations, the Middle Eastern petrochemical market, for example, hosts approximately 64.5 percent of the world’s proven oil reserves, according to OPEC, making it a vital center of global energy architecture.” concludes the experts “Destructive against energy infrastructure in this arena, therefore, represent a high-impact threat to both regional and international markets,”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – ZeroCleare, Wiper)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment