Iranian APT Groups Use ZeroCleare Wiper Against Energy Companies

Delaware, USA – December 5, 2019 – The joint development of two Iranian APT groups, xHunt and APT34, has similarities to the latest versions of Shamoon data-wiping malware and is used in attacks on energy companies in the Middle East. For the first time, researchers from IBM X-Force encountered ZeroCleare malware in late September, and further investigation revealed two versions of the wiper, for 64-bit and for 32-bit Windows systems. Only the 64-bit version turned out to be working, but attackers can fix errors to be able to attack all systems. IBM researchers discovered that ZeroCleare uses a vulnerable driver and PowerShell/Batch scripts to elevate privileges on the attacked system and then abuses legitimate Windows tool EldoS RawDisk to wipe the MBR and damage disk partitions on discovered network devices.

Data-wiping malware was spread during targeted attacks. One of the groups searched for targets in the network of energy companies and carried out brute-force attacks to gain access to the network, while the other hacking group used compromised systems as an initial foothold and then moved laterally across the organization’s network installing ZeroCleare on all available systems.

It is worth noting that another Iranian group, APT33, was behind the Shamoon malware attacks, and it is not clear why a similar wiper was developed and deployed by two other groups. You can use content available on Threat Detection Marketplace to uncover brute force attacks by analyzing authentication events from a wide variety of systems and services:
Backup Catalog Deleted – Rule –