Cybersecurity researchers have uncovered a new, previously undiscovered destructive data-wiping malware that is being used by state-sponsored hackers in the wild to target energy and industrial organizations in the Middle East.
Dubbed ZeroCleare, the data wiper malware has been linked to not one but two Iranian state-sponsored hacking groups—APT34, also known as ITG13 and Oilrig, and Hive0081, also known as xHunt.
A team of researchers at IBM who discovered the ZeroCleare malware says that the new wiper malware shares some high-level similarities with the infamous Shamoon, one of the most destructive malware families known for damaging 30,000 computers at Saudi Arabia’s largest oil producer in 2012.
Just like the Shamoon wiper malware, ZeroCleare also uses a legitimate hard disk driver called ‘RawDisk by ElDos’ to overwrite the master boot record (MBR) and disk partitions of targeted computers running the Windows operating system.
Though EldoS driver is not signed, the malware still manages to run it by loading a vulnerable but signed Oracle’s VirtualBox driver, exploiting it to bypass the signature checking mechanism and load the unsigned EldoS driver.
“To gain access to the device’s core, ZeroCleare used an intentionally vulnerable [but signed VBoxDrv] driver and malicious PowerShell/Batch scripts to bypass Windows controls,” the researchers said.
images from Hacker News