Security researchers from IBM said today they identified a new strain of destructive data-wiping malware that was developed by Iranian state-sponsored hackers and deployed in cyber-attacks against energy companies active in the Middle East.
IBM did not name the companies that have been targeted and had data wiped in recent attacks.
Instead, IBM’s X-Force security team focused on analyzing the malware itself, which they named ZeroCleare.
A 28-page PDF report is available on the tool’s capabilities, which IBM said it closely resembles Shamoon, one of the most dangerous and destructive malware strains of the past decade. A summary of this report’s main findings is in the article below.
Created by xHunt and APT34
Unlike many cyber-security firms, IBM’s X-Force team did not shy away from attributing the malware and the attacks to a specific country — in this case, Iran.
“Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation-state adversaries were involved to develop and deploy this new wiper,” the IBM security team said.
But unlike many previous cyber-attacks, which are usually carried out by one single group, IBM said this malware and the attacks behind appear to be the efforts of a collaboration between two of Iran’s top-tier government-backed hacking units.
According to IBM, the ZeroCleare malware is the brainchild of xHunt (Hive0081 in the IBM report) and APT34 (ITG13 in the IBM report, also known as Oilrig).
The ZeroCleare malware
As for the malware itself, ZeroCleare is your classic “wiper,” a strain of malware designed to delete as much data as possible from an infected host.
Wiper malware is usually used in two scenarios. It’s either used to mask intrusions by deleting crucial forensic evidence or it’s used to damage a victim’s ability to carry out its normal business activity — as was the case of attacks like Shamoon, NotPetya, or Bad Rabbit.
While researching the recent ZeroCleare attacks, IBM said it identified two versions of the malware. One was created for 32-bit systems and a second for 64-bit systems. Of the two, IBM said that only the 64-bit version actually worked.
Researchers said that attacks usually began with the hackers executing brute-force attacks to gain access to weakly secured company network accounts.
Once they gained access to a company’s server account, they exploited a SharePoint vulnerability to install web shells like China Chopper and Tunna.
Once attackers had a foothold inside a company, they spread laterally inside the network to as many computers as possible, where they deployed ZeroCleare as the last step of their infection.
“To gain access to the device’s core, ZeroCleare used an intentionally vulnerable driver and malicious PowerShell/Batch scripts to bypass Windows controls,” IBM said.
Once ZeroCleare had elevated privileges on a host, it would load EldoS RawDisk, a legitimate toolkit for interacting with files, disks, and partitions.
The malware then abused this legitimate tool to “wipe the MBR and damage disk partitions on a large number of networked devices,” researchers said.
IBM researchers pointed out that recent versions of the notorious Shamoon malware, used as recent as last year, also abused the same Eldos RawDisk toolkit for its “destructive” behavior. Shamoon was, too, created and operated by Iranian hackers as well, but by a different group, known as APT33 (Hive0016). It is unclear if APT33 was involved in the creation of ZeroCleare. An initial version of the IBM report claimed that APT33 and APT34 had created ZeroCleare, but this was shortly updated to xHunt and APT34, shortly after publication, suggesting that attribution is not yet 100% clear.
Other artifacts and indicators of compromise detailed in IBM’s report tied ZeroCleare to xHunt and APT34.
Attacks happened this fall, were “targeted”
While IBM didn’t share any details about ZeroCleare victims, an IBM daily threat assessment sent this fall suggests IBM first learned of this new malware and attacks around September 20.
IBM said that none of the ZeroCleare attacks were opportunistic and appeared to be targeted against very specific organizations.
Past Shamoon attacks targeted companies in the energy sector that were active in the Middle East region, companies that were either Saudi-based or known partners for Saudi-based oil & gas enterprises.
Article updated two hours after publication to replace the name of one hacking group from APT33 to xHunt after IBM corrected its own report.