Wiper Malware Targets Middle Eastern Energy Firms: Report'ZeroCleare' Malware Suspected of Being Tied to Iran, IBM X-Force Reports
A new malware campaign suspected of being tied to Iran has been targeting companies in the energy and industrial sectors in the Middle East, according to a report from IBM X-Force.
The wiper malware dubbed ZeroCleare targets the driver vulnerability in Windows-based devices for potential industrial espionage or to disrupt critical infrastructure, the study notes.
It’s unclear if the campaign is still active and who the actors are behind the group, but the malware's methods reflect “high-level similarities with other Iranian threat actors,” the study notes.
"Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation-state adversaries were involved to develop and deploy this new wiper," the IBM X-Force report notes.
The malware has the potential to affect thousands of devices at a time, causing widespread disruption that could take months to fully recover, according to the report.
An IBM X-Force spokesperson told Threatpost that although the exact extent of the attack remains unknown, at least 1,400 hosts were affected by ZeroCleare.
Attack Tactics Similar to Shamoon
ZeroCleare's tactics and techniques are similar to Shamoon, a malware strain that’s been targeting enterprises in the Middle East and U.S since 2012, the report notes.
Like Shamoon, ZeroCleare is wiper malware designed to delete data by affecting the master boot record, a massive storage unit on Windows-based devices.
The attackers have devised two versions of the malware - for 32-bit systems and 64-bit Windows systems - but only the latter version has successfully compromised devices, according to the report.
"The general flow of events on 64-bit machines includes using a vulnerable, signed driver and then exploiting it on the target device to allow ZeroCleare to bypass the Windows hardware abstraction layer and avoid some operating system safeguards that prevent unsigned drivers from running on 64-bit machines," the report states.
In the first stage of the infection, the malware performs a brute-force attack to compromise network security, enabling the attackers to easily access other network-connected devices, IBM researchers say.
Next, the malware install malicious web shells - Chopper and Tunna - for exploiting a SharePoint vulnerability. In the final stage of the infection, the attackers deploy ZeroCleare to infect as many systems as possible, the report explains.
"As Shamoon did before it, the tool of choice in the attacks is EldoS RawDisk, a legitimate toolkit for interacting with files, disks, and partitions," the report states. "Using RawDisk with malicious intent enabled ZeroCleare’s operators to wipe the MBR and damage disk partitions on a large number of networked devices."
Ties To Iranian Threat Group
IBM X-Force researchers believe that APT34, and at least one other group, likely based out of Iran, “collaborated on the destructive portion of the attack," the report states. "Looking at the geographical region hit by the ZeroCleare malware, it is not the first time the Middle East has seen destructive attacks target its energy sector."
APT34, a group also known as Oilrig and Lyceum that’s believed to backed by the Iranian government, has led attacks against government agencies and businesses, including companies in the financial, energy, chemical and telecommunications sectors, as part of an ongoing and long-term espionage campaign since 2016.
A report Palo Alto Network's Unit 42 notes that APT34 remains a significant threat to governments and businesses, rdespite a doxing of its targets and tools in March (see: Despite Doxing, OilRig APT Group Remains a Threat).
Apt34/OilRig has stolen about 13,000 credentials over the last three years, spreading out from the Middle East to other parts of the world and deploying malicious tools, including over 100 web shells for creating backdoors and communicating with compromised systems, Unit 42 researchers report.
In August, the group targeted critical control systems for oil and gas companies in the Middle East and as well as telecommunications providers in the Middle East, Africa and Central Asia, security researchers reported (see: Lyceum APT Group a Fresh Threat to Oil and Gas Companies).