Please complete the form below with your resume attached.

Your Name (required)                                             Email Address (required):                                        Phone Number (required):


Why should we consider you for the position? How would you be an asset to our company?


Your Picture  

Note: Only .doc .docx and .pdf files smaller than 5MB

Upload CV / Resume  

Upload Cover Letter  

New ZeroCleare data-wiping malware deployed by Iranian hackers

There is a a new destructive malware out in the wild and it is targeting energy companies in the Middle East. The said malware found by IBM security researchers which they named ‘ZeroCleare’ is a strain of a destructive data-wiping variant. It has been said that it was developed and deployed by Iranian state-sponsored hackers to target energy companies in the Middle East.

IBM did not disclose the names of the companies who had been victims in recent attacks. The IBM X-Force security team analyzed the malware. They even released a 28-page report explaining in detail of its capabilities and it was said that that it closely resembles the Shamoon malware.

“Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation-state adversaries were involved to develop and deploy this new wiper,” the IBM security team said.

“Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation-state adversaries were involved to develop and deploy this new wiper,” the IBM security team said.

As per their 28-page report, it is a collaboration between two hacking groups xHunt (Hive0081) and APT34 (ITG13 in the IBM report, also known as Oilrig).

This malware is considered as a “wiper” which is a malware strain specifically designed to delete as much data as possible from a host it has infected.

Typical scenarios would be the following:

  1. To mask intrusion by deleting crucial forensics evidence
  2. To cripple business activities.

There are a few disk-wiping malware out there such as Shamoon, NotPetya, or Bad Rabbit etc.

During their research, they have identified 2 versions of the said malware. One for 32bit systems and the other one for 64 bit systems. Between the two, IBM confirmed that the 64 bit version actually worked.

As per their researchers, the attack vector begins by executing brute-force attacks to gain access to weakly secured company network accounts. Once they get in to the server, they capitalize on an exploit via a SharePoint vulnerability to install web shells like China Chopper and Tunna.

They will try to spread to as many computers as possible where they deployed ZeroCleare as the last step of their attack vector.

“To gain access to the device’s core, ZeroCleare used an intentionally vulnerable driver and malicious PowerShell/Batch scripts to bypass Windows controls,” IBM said.

They will try to force their way to have elevated privileges on a host and it would load EldoS RawDisk, a legitimate toolkit for interacting with files, disks, and partitions.

They basically used a legit tool to wipe the MBR and damage the disk partitions on a large number of networked devices.

Last year, Shamoon used the same technique using Eldos RawDisk toolkit to wreck havoc. It is also known that Shamoon also was operated by Iranian Hackers known as APT33 (Hive0016).

As of this writing, it is not confirmed if APT33 was involved in the creations of ZeroCleare. In the initial version of the IBM report, it claimed that APT33 and APT34 had created ZeroCleare, but it was updated to xHunt and APT34, shortly after publication.

Although the ZeroCleare victims were not named, they did specify when they have learned about this malware attack. IBM suggests that September 20, 2019 was when they have learned about this.

IBM disclosed that they the attack was positioned to target very specific organizations. Unlike Shamoon, it targeted companies in the energy sector that were active in the Middle East region, companies that were either Saudi-based or known partners for Saudi-based oil & gas enterprises.

Written by

No Comments Yet.

Leave a Reply