I-Los Abacwaningi bezokuphepha be-IBM bakhishwe ezinsukwini ezimbalwa ezedlule bathole umndeni omusha we-malware obizwa nge- "ZeroCleare", eyenziwe iqembu le-Iranian hacker APT34 kanye ne-xHunt, le malware ibhekiswe emkhakheni wezimboni namandla eMiddle East. Abaphenyi abawavezwanga amagama ezinkampani zezisulu, kepha bahlaziya i-malware ukuze umbiko onemininingwane wamakhasi angama-28.
I-ZeroCleare ithinta kuphela iWindows ngoba njengoba igama layo liyichaza indlela yedatha yohlelo (PDB) ye- ifayela layo kanambambili lisetshenziselwa ukwenza ukuhlasela okubhubhisayo okubhala ngaphezulu irekhodi le-master boot (MBR) kanye nokwahlukaniswa kwemishini yeWindows eyonakalisiwe.
IZeroCleare ihlukaniswa njenge-malware enokuziphatha okucishe kufane ne- "Shamoon" (i-malware okwakhulunywa ngayo kakhulu ngoba yayisetshenziselwa ukuhlaselwa kwezinkampani zikawoyela ezisukela kowezi-2012.
Njenge-malamoon yeSamoon, IZeroCleare ibuye isebenzise isilawuli esisemthethweni sediski esibizwa nge- "RawDisk ngu-ElDos", ukubhala ngaphezulu i-master boot record (MBR) kanye ne-disk partitions yamakhompyutha athile asebenzisa iWindows.
Yize isilawuli Ababili ayisayiniwe, i-malware iyakwazi ukuyikhipha ngokulayisha umshayeli we-VirtualBox isengozini kepha ayisayiniwe, iyisebenzisela ukweqa indlela yokuqinisekisa yesiginesha futhi ilayishe umshayeli we-ElDos ongasayiniwe.
Le malware yethulwa ngokuhlaselwa ngamandla ukuthola ukufinyelela ezinhlelweni zenethiwekhi ezivikelekile. Lapho abahlaseli sebethelele idivayisi eqondisiwe, basabalalisa i-malware ngokusebenzisa inethiwekhi yenkampani njengesinyathelo sokugcina sokutheleleka.
“I-ZeroCleare cleaner iyingxenye yesigaba sokugcina sokuhlasela konke. Idizayinelwe ukusebenzisa amafomu amabili ahlukene, aguqulelwe kumasistimu angama-32-bit no-64-bit.
Ukuhamba okujwayelekile kwemicimbi emishinini engama-64-bit kufaka ukusebenzisa umshayeli osayiniwe osengozini bese eyixhaphaza kudivayisi ekhonjiwe ukuvumela iZeroCleare ukudlula ungqimba lwe-Windows hardware abstraction futhi idlule ezinye izivikelo zohlelo lokusebenza ezivimbela abashayeli Abangasayini ukuthi basebenze ngama-64-bit imishini ', ufunda umbiko we-IBM.
Isilawuli sokuqala kuleli chungechunge sibizwa ngokuthi i-soy.exe futhi inguquko eguquliwe yesilayishi somshayeli weTurla.
Isilawuli sisetshenziselwa ukulayisha inguqulo esengozini yesilawuli se-VirtualBox, abahlaseli abakuxhaphazayo ukulayisha umshayeli we-EldoS RawDisk. I-RawDisk iyinsiza esemthethweni esetshenziselwa ukusebenzisana namafayela nokwahlukanisa, futhi ibisetshenziswa ngabahlaseli beShamoon ukufinyelela i-MBR.
Ukuthola ukufinyelela komongo wedivayisi, iZeroCleare isebenzisa umshayeli osengozini ngamabomu nemibhalo ye-PowerShell / Batch enonya ukudlula izilawuli zeWindows. Ngokwengeza la macebo, iZeroCleare isabalale kumadivayisi amaningi kunethiwekhi ethintekile, yahlwanyela imbewu yokuhlasela okubhubhisayo okungathinta izinkulungwane zamadivayisi futhi kubangele ukuvaleka okungathatha izinyanga ukuthi zilulame ngokuphelele, "
Noma kunjalo imikhankaso eminingi ye-APT abacwaningi baveza ukugxila kubunhloli be-cyber, amanye amaqembu afanayo enza nemisebenzi yokucekela phansi. Ngokomlando, iningi lale misebenzi yenzeka eMiddle East futhi ligxile ezinkampanini zamandla nasezikhiqizweni, okuyizimpahla ezibalulekile zikazwelonke.
Yize abaphenyi bengazange baphakamise amagama kwanoma iyiphi inhlangano nge-100% okushiwo le malware, okokuqala baphawule ukuthi i-APT33 ibambe iqhaza ekwakhiweni kweZeroCleare.
Ngemuva kwalokho i-IBM yathi i-APT33 ne-APT34 zakha i-ZeroCleare, kepha ngemuva nje kokukhishwa kombhalo, isichasiso sashintsha saba yi-xHunt ne-APT34, futhi abacwaningi bavuma ukuthi babengaqiniseki ngamaphesenti ayi-XNUMX.
Ngokusho kwabaphenyi, Ukuhlaselwa yiZeroCleare akulona ithuba futhi kubonakala sengathi imisebenzi ebhekiswe emikhakheni ethile nasezinhlanganweni ezithile.