A new destructive data-wiping malware dubbed ZeroCleare has been spotted by IBM researchers during multiple targeted attacks against organizations from the energy and industrial sector in the Middle East.
The IBM X-Force Incident Response and Intelligence Services (IRIS) research team who discovered ZeroCleare says that it was likely developed by two Iran-backed threat actors, namely APT34 (aka Oilrig, ITG13) and another Iranian threat group tracked by IBM X-Force IRIS as Hive0081 (aka xHunt).
"Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation-state adversaries were involved to develop and deploy this new wiper," the researchers say in their report, also adding that "ZeroCleare attacks are not opportunistic and appear to be targeted operations against specific organizations."
ZeroCleare being used in destructive attacks is part of a larger trend observed by the researchers after seeing a staggering increase of 200 percent in the number of such campaigns between the second half of 2018 and the first half of 2019.
ZeroCleare infection flow

The ZeroCleare wiper malware is the final payload in a multi-stage attack and it comes in two variants, one targeting 32-bit while the other attempts to compromise 64-bit Windows systems. However, as the researchers discovered, only the 64-bit version works since the 32-bit one crashes before actually starting the wiping process.
ZeroCleare "relies on the legitimate EldoS RawDisk driver that was previously used in Shamoon attacks to access and wipe the hard drive directly," IBM X-Force IRIS' report says.
"Using this driver, which is an inherently legitimate tool, allows ZeroCleare attackers to bypass the Windows hardware abstraction layer and avoid the OS safeguards."
ZeroCleare infection flow (Image: IBM X-Force IRIS)
To disseminate the malware to more endpoints on the network, the attackers would brute force passwords to get access to multiple network accounts, later used to drop China Chopperand Tunna web shells after successful attempts of exploiting an unnamed SharePoint vulnerability.
They also use legitimate remote access solutions such as TeamViewer during their targeted attacks, as well as an obfuscated Mimikatz variant for collecting and exfiltrating credentials from infected systems.
"Given the evolution of destructive malware targeting organizations in the region, we were not surprised to find that ZeroCleare bears some similarity to the Shamoon malware," the report says. "Taking a page out of the Shamoon playbook, ZeroCleare aims to overwrite the master boot record (MBR) and disk partitions on Windows-based machines."
Has the potential to wipe thousands of computers

"ZeroCleare was spread to numerous devices on the affected network, sowing the seeds of a destructive attack that could affect thousands of devices and cause disruption that could take months to fully recover from," X-Force IRIS adds.
This way of running a large scale attack against cherry-picked targets resemble the way Shamoon (aka Disttrack) used in a previous attack from 2012 against the Saudi oil company Aramco, as observed by the Websense, Seculert, and Kaspersky security outfits.
At the time, the attackers used Shamoon to wipe all the data on more than 30,000 computers and rewrite their hard drive MBR (Master Boot Record) with the image of a burning US flag.
To have an idea of just how destructive an attack that deploys a data wiper is, IBM X-Force IRIS states in a report published in August that a target infected by nation-state actors with such malware can suffer devastating losses:
Massive destruction, massive costs: Destructive attacks are costing multinational companies $239 million on average. As a point of comparison, this is 61 times more costly than the average cost of a data breach ($3.92 million).
The long road to recovery: The debilitating nature of these attacks requires a lot of resources and time to respond and remediate, with companies on average requiring 512 hours from their incident response team.
RIP laptops: A single destructive attack destroys 12,000 machines per company on average — creating quite a tab for new devices in order to get companies’ workforce back in action.
"In addition to underpinning the economies of several Gulf nations, the Middle East petrochemical market, for example, hosts approximately 64.5% of the world’s proven oil reserves, making it a vital center of global energy architecture," X-Force IRIS concludes.
"Destructive cyberattacks against energy infrastructure in this arena, therefore, represent a high-impact threat to both the regional and international markets."