Dec 06, 2019 12:07:00

A new data erasure malware `` ZeroCleare '' targeting the energy industry is discovered

by

TheDigitalArtist

IBM's cyber security department X-Force Incident Response and Intelligence Services (X-Force IRIS) reported on December 4, 2019 that it discovered a new data erasure malware ` ` ZeroCleare '' targeting the energy industry in the Middle East etc. Did. According to the X-Force IRIS security team, ZeroCleare may have been created by a group of hackers supported by Iran.

New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East
https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/

ZeroCleare: New Iranian Data Wiper Malware Targeting Energy Sector
https://thehackernews.com/2019/12/zerocleare-data-wiper-malware.html

X-Force IRIS monitors malware that is disruptive to industries in the Middle East, especially the energy industry, and has discovered a new malware named ZeroCleare in the latest analysis. So far, no evidence of attacks using ZeroCleare has been found, and the security team has pointed out that ZeroCleare may be a recently developed malware.

ZeroCleare is associated with a hacker group called ``

APT-34 '' that seems to be supported by Iran from the energy industry sector in the Middle East targeted by ZeroCleare, the behavior of attackers themselves, analysis of malware, etc. about. According to X-Force IRIS, ZeroCleare has a high level of similarity to malware called Shamoon, which destroyed more than 30,000 computers in Saudi Arabia in 2012 targeting oil and gas companies.

Like Shamoon, ZeroCleare attempts to overwrite the master boot record (MBR) and disk partitions of Windows-based computers. The attack targets a legitimate hard disk driver called “RawDisk by ElDos”. According to the security team, hackers receiving national support often misuse legitimate tools in ways that vendors don't expect.

by

iAmMrRob

ZeroCleare first broke the network account password with a brute force attack (brute force attack) to gain access to the target device. After that, installing a web shell such as China Chopper on the target device avoids the signature checking mechanism using the unsigned RawDisk signed but vulnerable Oracle VirtualBox driver and unsigned ElDos Run the RawDisk driver. As a result, ZeroCleare spread to computers connected to networks that broke passwords, affecting thousands of computers, the security team said.

The same attacker is also trying to install legitimate remote access software called TeamViewer . Using this as a starting point , it seems that they used Mimikatz , a software known as a credential theft tool, to steal more network credentials from the compromised server.

The security team claims that the attacks by ZeroCleare are not opportunistic and target specific sectors or organizations clearly. The name of the targeted organization is not disclosed at the time of writing the article.

by pixelcreatures