New Destructive Wiper “ZeroCleare” has been identified by IBM® X-Force® Incident Response and Intelligent Services (IRIS) Targeting the Energy Sector in the Middle East

IBM® X-Force®  researchers have identified a new malware new malware which they have dubbed “ZeroCleare” which has been used in destructive attacks against the critical energy sector.

According to X-Force analysis, ZeroCleare was used to execute a destructive attack that affected organizations in the energy and industrial sectors in the Middle East. Based on the analysis of the malware and the attackers’ behaviour, they suspect Iran-based nation-state adversaries were involved to develop and deploy this new wiper.

Given the evolution of destructive malware targeting organizations in the region, they were not surprised to find that ZeroCleare bears some similarity to the Shamoon malware. Taking a page out of the Shamoon playbook, ZeroCleare aims to overwrite the Master Boot Record (MBR) and disk partitions on Windows-based machines. As Shamoon did before it, the tool of choice in the attacks is EldoS RawDisk, a legitimate toolkit for interacting with files, disks, and partitions.

Nation-state groups and cyber criminals frequently use legitimate tools in ways that a vendor did not intend to accomplish malicious or destructive activity. Using RawDisk with malicious intent enabled ZeroCleare’s operators to wipe the MBR and damage disk partitions on a large number of networked devices. To gain access to the device’s core, ZeroCleare used an intentionally vulnerable driver and malicious PowerShell/Batch scripts to bypass Windows controls. Adding these ‘living off the land’ tactics to the scheme, ZeroCleare was spread to numerous devices on the affected network, sowing the seeds of a destructive attack that could affect thousands of devices and cause disruption that could take months to fully recover from. These tactics resemble the way Shamoon was launched in attacks on Arabian Gulf targets in 2018.

X-Force IRIS assesses that the ITG13 threat group, also known as APT34/OilRig, and at least one other group, likely based out of Iran, collaborated on the destructive portion of the attack. X-Force IRIS’s assessment is based on ITG13's traditional mission, which has not included executing destructive cyber-attacks in the past, the gap in time between the initial access facilitated by ITG13 and the last stage of the intrusion, as well as the different TTPs our team observed.

To date, X-Force IRIS has not found any previous reporting on the "ZeroCleare" wiper, its indicators, or elements observed in this campaign. It is possible that it is a recently developed malware and that the campaign we analyzed is one of the first to use this version.

Follow