A new malware thatโs capable of wiping the entire sensitive data of a nationโs secrets is now said to be attacking few energy companies in the Middle East. IBMโs research team has named this malware as ZeroCleare, where they studied and detailed its working network in a 28-page report on their site.
In pursuit of gaining dominance over each other, countries with heavy arms and technology shall always win. And one such is here; malware attackings on each others resources. IBM security researchers X-Force has detected a new malware thatโs being disseminated by attackers from Iran to erase data from systems. Itโs clearly explained below.
Just as other past wipers, IBM said this would be deployed to erase confidential information from systems. The aim of such malwares is to hinder the business operations of victims to mask any intrusions caused. IBM did not specify what those infected energy companies are. It further revealed that there are two versions of this malware created; one for 32-bit and another of 64-bit systems. Only the latter was said to be operational currently.
Workflow
This malware, at first, tries a brute-force attack into vulnerable systems and if succeeded, shall exploit SharePoint vulnerability to install web shells. Once entered, they shall spread across the entire network with exploiting the vulnerable drivers and installing PowerShell/Batch scripts that could bypass Windows controls.
After settling, it would then load a legitimate toolkit as EldoS RawDisk to interact with files, disks, and partitions. This access is further used to wipe the MBR and damage disk partitions on a large number of networked devices.
The State-Backed Groups
IBM detailed in its report as this malware deployment is carried out by two Iran state-owned hacking groups; xHunt and APT34. It said, โBased on the analysis of the malware and the attackersโ behaviour, we suspect Iran-based nation-state adversaries were involved to develop and deploy this new wiperโ as in their reports. It confirms that itโs a brainchild of xHunt and APT34.
Resembling Shamoon
This new malware is said to be resembling closely to Shamoon, which is one of such kind malware that succeeded in wiping out data in past. ZeroCleareโs modus operandi and targets are just as Shamoonโs, as it too had attacked energy based companies from Saudi Arabia in past. While Shamoon was carried out by Iran state-backed APT33 group, this was carried by new ones. IBM initially reported that some (maybe more) of APT33โs team could be involved in this new case, but later clarified of the new team as xHunt and APT34.