IBM X-Force security researchers discovered new destructive data wiper malware and named it as ZeroCleare on the basis of the program database pathname of its binary file.
What is ZeroCleare?
Zerocleare is a destructive data-wiping malware targeting oil, gas and energy sectors based companies in the Middle-East and some parts of Europe. It is a disk wiping malware, when executed it overwrites MBR (Master boot record) and disk partition in windows machines.
Mind behind Zerocleare – OilRig !
According to IBM-X force security researchers behavior and analysis of this malware points that Iran-based nation adversaries were responsible for creation and deploying this malware. This malware resembles to shamoon from 2012 created by ITG13 also known as OilRig, xHunt , Hive0081 or APT34.
Starting of destruction
According to IBM researchers, initial phase of brute force attack was originated from Amsterdam IPs known to be owned by Oilrig.
In addition to brute force attacks on network accounts, the attackers exploited a SharePoint vulnerability to drop web shells on a SharePoint server. These included China Chopper, Tunna, and another Active Server Pages-based webshell named “extensions.aspx,” which “shared similarities with the ITG13 tool known as TWOFACE/SEASHARPEE,” the IBM researchers reported.
According to reports before going across the network to spread zerocleare malware, threat actors attempted to install TeamViewer remote access software and also tried to use a modified version of the Mimikatz credential-stealing tool to steal network credentials from the compromised servers.
Malware’s working methodology and analysis
Phase 1 – Loading signed but vulnerable driver
By default in windows 64-bit machines there is mechanism known as DSE (Driver signature enforcement), which only allows Microsoft signed drivers to install on system and since ZeroCleare wiper needs unsigned Eldos driver for its execution. Hence attackers use a file named as soy.exe to load signed but vulnerable oracle virtual box driver “VBox Drv” to bypass DSE.
where as in case if win32 machine it starts directly from phase 3, as win32 doesn’t have DSE security mechanism.
Phase 2 – Exploiting vulnerable VBox Driver
Vulnerable VBox is exploited to run shell code on kernel. Which further loads the Eldos Rawdisk driver. From here on attacker proceeds to phase of dropping malware and wiping data.
Eldos Rawdisk driver is a legitimate tool for handling and interacting with files, disks, and partitions.
Phase 3 – Wiping phase
Using Eldos driver attacker bypass windows hardware abstraction layer and OS safeguards to drop executable file named as ClientUpdate.exe, which is actually Zerocleare payload. Using Eldos driver this payload overwrites the MBR and disk partition of the infected windows machine.
The ClientUpdate.exe (x64) wiping function creates a buffer of random bytes and uses function to send this buffer to the RawDisk driver to write data to the disk and wipe the victim’s hard drives. Similar to what the Shamoon malware does, this would overwrite the MBR, partitions, and files on the system with random junk data.
Phase 4 – Spreading out in network
This payload also drops several batch and powershell script to schedule the malicious action on the system in order to get hold on entire network eventually. The main powershell script, ClientUpdate.ps1 spreads itself to Domain Controllers (DC), and then from there to severs. It uses the Active Directory powershell module Get-ADComputer cmdlet to identify lists of target devices to execute the malware on.
The Batch scripts supports the spreading of malware but work in a more easy manner using premade text files that contain hostnames to infect, rather than generating the lists themselves.
So how this malware spread out across the network leading to wide overwrite of MBR and disk partitioning.
IOCs of the Malware
- 1ef610b1f9646063f96ad880aad9569d – soy.exe
- eaea9ccb40c82af8f3867cd0f4dd5e9d – saddrv.sys (Vulnerable VBox Driver) – Joe Sandbox Analysis
- 69b0cec55e4df899e649fa00c2979661 – Win32 ( elrawdsk.sys ) – Joe Sandbox Analysis
- 993e9cb95301126debdea7dd66b9e121 – Win64 ( elrawdsk.sys ) – VT analysis
- 33f98b613b331b49e272512274669844 – ZeroCleare payload ( ClinetUpdate.exe )Joe Sandbox Analysis
- Limited privilege account and users.
- Enable MFA.
- Keep several online and offline backups.
- For more solution click here.
Stay tuned with us for more cyber stuff !
Have any suggestions and Ideas for us to improve, please feel free to reach out to us.