New Iranian wiper discovered during attacks on companies in the Middle East

IBM X-Force, the company’s security unit, has published a report on a new form of “erasable” malware that is associated with threat groups in Iran and is being used in a destructive attack on companies in the Middle East. The monster was discovered in response to an attack on what an IBM spokesperson described as “a new environment in the (Middle East) – not in Saudi Arabia, but another regional rival of Iran.”

After ZeroCleare dubbed, the malware is “a likely collaboration between Iranian state-sponsored groups,” according to a report from IBM X-Force researchers. The attacks were targeted at specific organizations and used brute-force password attacks to gain access to network resources. The initial phase of the attacks was launched from Amsterdam IP addresses owned by a group associated with what IBM calls the “ITG13 Group” – also known as “Oilrig” and APT34. Another Iranian threat group may have used the same addresses to access accounts prior to the wiper campaign.

“Although X-Force IRIS cannot attribute the activity during the destructive phase of the ZeroCleare campaign,” the researchers noted, “we assess that high-level similarities with other Iranian threat actors, including dependence on ASPX webshells and compromised VPN accounts, the link to ITG13 activity and the attack that is in line with Iranian targets in the region make it likely that this attack was carried out by one or more Iranian threat groups. “

In addition to brutal force attacks on network accounts, the attackers exploited a SharePoint vulnerability to place web shells on a SharePoint server. These include China Chopper, Tunna and another Active Server Pages-based webshell called “extensions.aspx”, which “shared agreements with the ITG13 TWOFACE / SEASHARPEE tool,” IBM researchers reported. They also tried to install TeamViewer’s RemoteView software and used a modified version of the Mimikatz credential stealing tool – hidden to hide its intent – to steal more network credentials from the compromised servers. From there they left the network to spread the ZeroCleare malware.

Hide the driver

Like the Shamoon eraser, ZeroCleare uses EldoS’s legitimate RawDisk software driver to gain direct access to disk drives and write data. However, since the EldoS driver is not signed, ZeroCleare uses a vulnerable, but signed, driver from a version of the Oracle virtual machine software to bypass the driver signature check, which can attack 64-bit versions of Windows. The VBoxDrv driver, which passes Microsoft Driver Signature enforcement, is loaded by an executable intermediary – in the cases detected by IBM X-Force, the file was named soy.exe. After loading the vulnerable VirtualBox driver, the malware exploits a bug in the driver to load the unsigned EldoS driver. On 32-bit Windows systems, where Driver Signature Enforcement is missing, the malware can remove the temporary solution and run the EldoS driver directly.

The payload of the malware is called ClientUpdate.exe. Using the EldoS driver, it overwrites the Master Boot Record and disk partitions of the infected machine.

The victims of the attacks were in the energy and industry sectors in countries that Iran regards as rivals in the Persian Gulf. And this is not the only ongoing Iran-bound campaign – there have been anecdotal reports of other attacks by Iran’s APT33 on US energy companies and other nations, and another Iranian-bound group focused on an American presidential campaign (according to President Trump, to Reuters).

Similar Posts

Leave a Reply