Security researchers from IBM X-Force have identified a new wiper malware, possibly developed and deployed by state-funded Iranian groups in the Middle East.
The malware, which the researchers dubbed ZeroCleare, is designed to destroy data on targeted devices or at least make it difficult to retrieve. The IBM X-Force security unit believes it’s the product of a collaboration between several Iranian state-sponsored groups.
According to an ArsTechnica report, the attacks sought specific targets in the energy and industrial sectors in countries considered rivals to Iran. While the link to Iranian state-sponsored groups is not 100% certain, it’s very likely, given the known attack vectors and the targets.
“While X-Force IRIS cannot attribute the activity observed during the destructive phase of the ZeroCleare campaign, we assess that high-level similarities with other Iranian threat actors, including the reliance on ASPX web shells and compromised VPN accounts, the link to ITG13 activity, and the attack aligning with Iranian objectives in the region, make it likely this attack was executed by one or more Iranian threat groups,” said the researchers for ArsTechnica.
The attacks came from Amsterdam IP addresses, which have been used in the past by another infamous group, known by the names APT34 and Oilrig. The bad actors also used a SharePoint vulnerability and tried to install TeamViewer for complete remote access.
Wiper software needs direct access to the disk, so it uses existing unsigned drivers to insinuate itself into targeted PCs. In the case of ZeroCleare, it uses the EldoS and VBoxDrv drivers to bypass the Driver Signature in Windows, overwriting the MBR and the partitions of the targeted PC.