Sunday, July 21, 2024

Iranian Hackers Launching New Disk-wiping Malware “ZeroCleare” To Bypass The Windows Controls & Crash Network Disks

Researchers discovered a new wave of destructive attack by the Iranian hacker group using disk-wiping malware “ZeroCleare” to wipe the MBR and damage disk partitions on a large number of networked devices.

ZeroCleare malware attacks various industries such as energy and industrial sectors mainly in the Middle East, and malware believed to be developed and deployed by Iran-based nation-state hackers group.

Researchers find evidence that the ZeroCleare malware has similarities of another disk wiping Shamoon malware, that performing the destructive attack using an image of a burning US Dollar, which we have reported back in 2018. 

ZeroCleare mainly targeting to overwrite the Master Boot Record (MBR) and disk partitions on Windows-based machines.

Similar to the Shamoon Malware, ZeroCleare employed EldoS RawDisk, a legitimate toolkit for interacting with files, disks, and partitions with malicious intent to wipe the MBR and damaged disk partitions.

To bypass the Windows control, threat actors using vulnerable driver and malicious PowerShell/Batch scripts along with ‘living off the land’ to expand the target and spread to various devices in the network.

The Middle East is more frequently fall this kind of destructive attacks on the energy and industrial sectors and its not limited, cybercriminals targeting the economy of rival countries.

Researchers believe that ” When these attacks are carried out by nation-state adversaries, they often have military objectives that can include accessing systems to deny access to, degrade, disrupt, deceive, or destroy the device/data.”

ZeroCleare Malware Infection Flaw

When looking that files employed by the malware, ZeroCleare comes in two versions, but only one worked. one for each Windows architecture (32-bit and 64-bit), The 32-bit version was supposed to function by installing the EldoS RawDisk driver.

Researchers observed various following malicious files arsenal that used infect devices with ZeroCleare malware and expanded through compromised networks.


In this file list, PowerShell and batch scripts are employed to spread and execute the ZeroCleare malware across the domain.

Infection Flaw

ClientUpdate.ps1, The main PowerShell script spread itself Domain Controllers and it using the Active Directory PowerShell module GetADComputer cmdlet to identify lists of target devices to copy and execute the malware.”

According to IBM X-Force research ”  Since ZeroCleare relies on the EldoS RawDisk driver, which is not a signed driver and would therefore not run by default, the attackers use an intermediary file named soy.exe to perform the workaround. They load a vulnerable but signed VBoxDrv driver, which the DSE accepts and runs, and then exploit it to load the unsigned driver, thereby avoiding DSE rejection of the EldoS driver. ”

The ZeroCleare wiper will be automatically executing itself in the final stage and delivering the file name ClientUpdate.exe that runs with legitimate license key for EldoS RawDisk driver and proceed to the disk wiping phase.

You can also read the complete technical research in the whitepaper.

Also Read:


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles