Each IBM security researchers released a few days ago they detected a new family of malware called "ZeroCleare", created by Iranian hacker group APT34 together with xHunt, this malware is directed against the industrial and energy sectors in the Middle East. The investigators did not reveal the names of the victim companies, but did an analysis of the malware to a detailed 28-page report.
ZeroCleare affects only Windows since as its name describes it the path of the program database (PDB) of its binary file is used to execute a destructive attack that overwrites the master boot record (MBR) and partitions on compromised Windows machines.
ZeroCleare is classified as a malware with a behavior somewhat similar to that of "Shamoon" (a malware that was talked about a lot because it was used for attacks on oil companies dating back to 2012) Although Shamoon and ZeroCleare have similar capabilities and behaviors, researchers say the two are separate and distinct pieces of malware.
Like the Shamoon malware, ZeroCleare also uses a legitimate hard disk controller called "RawDisk by ElDos", to overwrite the master boot record (MBR) and disk partitions of specific computers running Windows.
Although the controller The two is not signed, the malware manages to execute it by loading a VirtualBox driver vulnerable but unsigned, exploiting it to bypass the signature verification mechanism and load the unsigned ElDos driver.
This malware is launched through brute force attacks to gain access to weakly secure network systems. Once the attackers infect the target device, they spread the malware via the company network as the last step of the infection.
“The ZeroCleare cleaner is part of the final stage of the overall attack. It is designed to deploy two different forms, adapted to 32-bit and 64-bit systems.
The general flow of events on 64-bit machines includes using a vulnerable signed driver and then exploiting it on the target device to allow ZeroCleare to bypass the Windows hardware abstraction layer and bypass some operating system safeguards that prevent the Unsigned drivers run on 64-bit machines', reads the IBM report.
The first controller in this chain is called soy.exe and it is a modified version of the Turla driver loader.
That controller is used to load a vulnerable version of the VirtualBox controller, which attackers exploit to load the EldoS RawDisk driver. RawDisk is a legitimate utility used to interact with files and partitions, and it was also used by Shamoon attackers to access the MBR.
To gain access to the core of the device, ZeroCleare uses an intentionally vulnerable driver and malicious PowerShell / Batch scripts to bypass Windows controls. By adding these tactics, ZeroCleare spread to numerous devices on the affected network, sowing the seeds of a destructive attack that could affect thousands of devices and cause outages that could take months to fully recover, "
Although many of the APT campaigns the researchers expose focus on cyber espionage, some of the same groups also carry out destructive operations. Historically, many of these operations have taken place in the Middle East and have focused on energy companies and production facilities, which are vital national assets.
Although the researchers have not raised the names of any organization 100% to which this malware is attributed, in the first instance they commented that APT33 participated in the creation of ZeroCleare.
And then later IBM claimed that APT33 and APT34 created ZeroCleare, but shortly after the document was released, the attribution changed to xHunt and APT34, and the researchers admitted they were not XNUMX percent certain.
According to investigators, ZeroCleare attacks are not opportunistic and they appear to be operations directed against specific sectors and organizations.