Friday, May 9, 2025
HomeCyber AttackIranian Hackers Launching New Disk-wiping Malware “ZeroCleare” To Bypass The Windows...

Iranian Hackers Launching New Disk-wiping Malware “ZeroCleare” To Bypass The Windows Controls & Crash Network Disks

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a new wave of destructive attack by the Iranian hacker group using disk-wiping malware “ZeroCleare” to wipe the MBR and damage disk partitions on a large number of networked devices.

ZeroCleare malware attacks various industries such as energy and industrial sectors mainly in the Middle East, and malware believed to be developed and deployed by Iran-based nation-state hackers group.

Researchers find evidence that the ZeroCleare malware has similarities of another disk wiping Shamoon malware, that performing the destructive attack using an image of a burning US Dollar, which we have reported back in 2018. 

- Advertisement - Google News

ZeroCleare mainly targeting to overwrite the Master Boot Record (MBR) and disk partitions on Windows-based machines.

Similar to the Shamoon Malware, ZeroCleare employed EldoS RawDisk, a legitimate toolkit for interacting with files, disks, and partitions with malicious intent to wipe the MBR and damaged disk partitions.

To bypass the Windows control, threat actors using vulnerable driver and malicious PowerShell/Batch scripts along with ‘living off the land’ to expand the target and spread to various devices in the network.

The Middle East is more frequently fall this kind of destructive attacks on the energy and industrial sectors and its not limited, cybercriminals targeting the economy of rival countries.

Researchers believe that ” When these attacks are carried out by nation-state adversaries, they often have military objectives that can include accessing systems to deny access to, degrade, disrupt, deceive, or destroy the device/data.”

ZeroCleare Malware Infection Flaw

When looking that files employed by the malware, ZeroCleare comes in two versions, but only one worked. one for each Windows architecture (32-bit and 64-bit), The 32-bit version was supposed to function by installing the EldoS RawDisk driver.

Researchers observed various following malicious files arsenal that used infect devices with ZeroCleare malware and expanded through compromised networks.

ZeroCleare

In this file list, PowerShell and batch scripts are employed to spread and execute the ZeroCleare malware across the domain.

ZeroCleare
Infection Flaw

ClientUpdate.ps1, The main PowerShell script spread itself Domain Controllers and it using the Active Directory PowerShell module GetADComputer cmdlet to identify lists of target devices to copy and execute the malware.”

According to IBM X-Force research ”  Since ZeroCleare relies on the EldoS RawDisk driver, which is not a signed driver and would therefore not run by default, the attackers use an intermediary file named soy.exe to perform the workaround. They load a vulnerable but signed VBoxDrv driver, which the DSE accepts and runs, and then exploit it to load the unsigned driver, thereby avoiding DSE rejection of the EldoS driver. ”

The ZeroCleare wiper will be automatically executing itself in the final stage and delivering the file name ClientUpdate.exe that runs with legitimate license key for EldoS RawDisk driver and proceed to the disk wiping phase.

You can also read the complete technical research in the whitepaper.

Also Read:

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Cyberattackers Targeting IT Help Desks for Initial Breach

Cybercriminals are increasingly impersonating IT support personnel and trusted authorities to manipulate victims into...

New Stealthy .NET Malware Hiding Malicious Payloads Within Bitmap Resources

Cybersecurity researchers at Palo Alto Networks' Unit 42 have uncovered a novel obfuscation method...

Hackers Weaponizing Facebook Ads to Deploy Multi-Stage Malware Attacks

A persistent and highly sophisticated malvertising campaign on Facebook has been uncovered by Bitdefender...

Threat Actors Target Job Seekers with Three New Unique Adversaries

Netcraft has uncovered a sharp rise in recruitment scams in 2024, driven by three...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Cyberattackers Targeting IT Help Desks for Initial Breach

Cybercriminals are increasingly impersonating IT support personnel and trusted authorities to manipulate victims into...

New Stealthy .NET Malware Hiding Malicious Payloads Within Bitmap Resources

Cybersecurity researchers at Palo Alto Networks' Unit 42 have uncovered a novel obfuscation method...

Hackers Weaponizing Facebook Ads to Deploy Multi-Stage Malware Attacks

A persistent and highly sophisticated malvertising campaign on Facebook has been uncovered by Bitdefender...