Researchers discovered a new wave of destructive attack by the Iranian hacker group using disk-wiping malware “ZeroCleare” to wipe the MBR and damage disk partitions on a large number of networked devices.
ZeroCleare malware attacks various industries such as energy and industrial sectors mainly in the Middle East, and malware believed to be developed and deployed by Iran-based nation-state hackers group.
Researchers find evidence that the ZeroCleare malware has similarities of another disk wiping Shamoon malware, that performing the destructive attack using an image of a burning US Dollar, which we have reported back in 2018.
ZeroCleare mainly targeting to overwrite the Master Boot Record (MBR) and disk partitions on Windows-based machines.
Similar to the Shamoon Malware, ZeroCleare employed EldoS RawDisk, a legitimate toolkit for interacting with files, disks, and partitions with malicious intent to wipe the MBR and damaged disk partitions.
To bypass the Windows control, threat actors using vulnerable driver and malicious PowerShell/Batch scripts along with ‘living off the land’ to expand the target and spread to various devices in the network.
The Middle East is more frequently fall this kind of destructive attacks on the energy and industrial sectors and its not limited, cybercriminals targeting the economy of rival countries.
Researchers believe that ” When these attacks are carried out by nation-state adversaries, they often have military objectives that can include accessing systems to deny access to, degrade, disrupt, deceive, or destroy the device/data.”
ZeroCleare Malware Infection Flaw
When looking that files employed by the malware, ZeroCleare comes in two versions, but only one worked. one for each Windows architecture (32-bit and 64-bit), The 32-bit version was supposed to function by installing the EldoS RawDisk driver.
Researchers observed various following malicious files arsenal that used infect devices with ZeroCleare malware and expanded through compromised networks.
In this file list, PowerShell and batch scripts are employed to spread and execute the ZeroCleare malware across the domain.
“ClientUpdate.ps1, The main PowerShell script spread itself Domain Controllers and it using the Active Directory PowerShell module GetADComputer cmdlet to identify lists of target devices to copy and execute the malware.”
According to IBM X-Force research ” Since ZeroCleare relies on the EldoS RawDisk driver, which is not a signed driver and would therefore not run by default, the attackers use an intermediary file named soy.exe to perform the workaround. They load a vulnerable but signed VBoxDrv driver, which the DSE accepts and runs, and then exploit it to load the unsigned driver, thereby avoiding DSE rejection of the EldoS driver. ”
The ZeroCleare wiper will be automatically executing itself in the final stage and delivering the file name ClientUpdate.exe that runs with legitimate license key for EldoS RawDisk driver and proceed to the disk wiping phase.
You can also read the complete technical research in the whitepaper.