Researchers have detected a new malware family called “ZeroCleare” that’s targeting the energy and industrial sectors in the Middle East.

IBM X-Force Incident Response and Intelligence Services (IRIS) launched an investigation into ZeroCleare and learned that the malware had executed a destructive attack that affected energy and industrial organizations in the Middle East.

In its analysis of the attack, the IBM X-Force team observed some parallels to Shamoon, a destructive campaign known for targeting Middle Eastern energy companies and governmental agencies with the Disttrack wiper malware. Researchers specifically found that this latest campaign mimicked Shamoon in that it used EldoS RawDisk, a legitimate toolkit, to try to overwrite the Master Boot Record (MBR) on infected machines. As the team notes in its research:

Using EldoS RawDisk with malicious intent enabled ZeroCleare’s operators to wipe the MBR and damage disk partitions on a large number of networked devices. To gain access to the device’s core, ZeroCleare used an intentionally vulnerable driver and malicious PowerShell/Batch scripts to bypass Windows controls.

On top of these living off the land techniques, ZeroCleare further mirrored a 2018 Shamoon campaign by spreading to multiple devices on the network. This lateral movement elevated the destructive potential of the new malware to cover thousands of devices in a single network. Acknowledging that level of scope, IBM noted that a successful attack could “cause disruption that could take months to fully recover from.”

Researchers at IBM suspect Iran-linked actors helped develop and deploy the new wiper based upon ZeroCleare’s code as well as its handlers behavior.

Additional information about this threat, including its infection flow, can be found here.

Figure 1: ZeroCleare’s top-level infection flow (Source: IBM X-Force)

The emergence of new malware families like ZeroCleare highlights the need for industrial and energy organizations alike to defend (Read more...)