Security researchers from IBM X-Force have identified a
new wiper malware, possibly developed and deployed by state-funded Iranian
groups in the Middle East.
The malware, which the researchers dubbed ZeroCleare, is designed
to destroy data on targeted devices or at least make it difficult to retrieve.
The IBM X-Force security unit believes it’s the product of a collaboration
between several Iranian state-sponsored groups.
According to an ArsTechnica report, the attacks sought specific
targets in the energy and industrial sectors in countries considered rivals to
Iran. While the link to Iranian state-sponsored groups is not 100% certain,
it’s very likely, given the known attack vectors and the targets.
“While X-Force IRIS cannot attribute the activity
observed during the destructive phase of the ZeroCleare campaign, we assess
that high-level similarities with other Iranian threat actors, including the
reliance on ASPX web shells and compromised VPN accounts, the link to ITG13
activity, and the attack aligning with Iranian objectives in the region, make it
likely this attack was executed by one or more Iranian threat groups,” said
the researchers for ArsTechnica.
The attacks came from Amsterdam IP addresses, which have
been used in the past by another infamous group, known by the names APT34 and Oilrig.
The bad actors also used a SharePoint vulnerability and tried to install
TeamViewer for complete remote access.
Wiper software needs direct access to the disk, so it uses
existing unsigned drivers to insinuate itself into targeted PCs. In the case of
ZeroCleare, it uses the EldoS and VBoxDrv drivers to bypass the Driver
Signature in Windows, overwriting the MBR and the partitions of the targeted
PC.