Security experts at IBM X-Force found a piece of malware dubbed ZeroCleare (the name ZeroCleare comes from the path in the binary file) that has been used in highly targeted attacks aimed at energy and industrial organizations in the Middle East.
“To date, X-Force IRIS has not found any previous reporting on the ZeroCleare wiper, its indicators or elements observed
The wiper leverages vulnerable driver and malicious PowerShell/Batch scripts to bypass Windows controls.
Anyway, IBM X-Force experts believe that ZeroCleare doesn’t belong to the same Shamoon malware family.
The experts believe that the ZeroCleare attacks are not opportunistic, the malicious code was developed by the ITG13 threat group, also known as APT34/OilRig. The researchers believe that the development of the malware also involved a second Iran-linked APT group, likely based out of Iran.
“The general flow of events
“This workaround has likely been used because 64-bit Windows-based devices are protected with Driver Signature Enforcement (DSE).”
The attack infrastructure overlaps the ones used in past attacks by Iran- groups believed to be operating out of Iran.
Researchers noticed that one of the IP addresses used to access compromised network accounts in mid-2019 was 194.187.249
The infrastructure set up by one of these Iranian groups was allegedly hacked by the Russia-linked Turla APT, but X-Force experts
“Looking at the geographical region hit by the ZeroCleare malware, it is not the first time the Middle East has seen destructive attacks target its energy sector. In addition to underpinning the economies of several Gulf nations, the Middle Eastern petrochemical market, for example, hosts approximately 64.5 percent of the world’s proven oil reserves, according to OPEC, making it a vital center of global energy architecture.” concludes the experts “Destructive against energy infrastructure in this arena, therefore, represent a high-impact threat to both regional and international markets,”
(SecurityAffairs – ZeroCleare, Wiper)