Cybersecurity researchers have uncovered a new, previously undiscovered destructive data-wiping malware that is being used by state-sponsored hackers in the wild to target energy and industrial organizations in the Middle East.
Dubbed ZeroCleare, the data wiper malware has been linked to not one but two Iranian state-sponsored hacking groups – APT34, also known as ITG13 and Oilrig, and Hive0081, also known as xHunt.
A team of researchers at IBM who discovered the ZeroCleare malware says that the new wiper malware shares some high-level similarities with the infamous Shamoon, one of the most destructive malware families known for damaging 30,000 computers at Saudi Arabia’s largest oil producer in 2012.
Just like the Shamoon wiper malware, ZeroCleare also uses a legitimate hard disk driver called ‘RawDisk by ElDos’ to overwrite the master boot record (MBR) and disk partitions of targeted computers running the Windows operating system.
Though EldoS driver is not signed, the malware still manages to run it by loading a vulnerable but signed Oracle’s VirtualBox driver, exploiting it to bypass the signature checking mechanism and load the unsigned EldoS driver.
“To gain access to the device’s core, ZeroCleare used an intentionally vulnerable [but signed VBoxDrv] driver and malicious PowerShell/Batch scripts to bypass Windows controls,” the researchers said.
To deploy the Zerocleare malware on as many computers in an organization as possible, attackers’ first attempt to brute force network accounts passwords and then install ASPX web shells, like China Chopper and Tunna, by exploiting a SharePoint vulnerability.
“Adding these living-off-the-land tactics to the scheme, ZeroCleare was spread to numerous devices on the affected network, sowing the seeds of a destructive attack that could affect thousands of devices and cause disruption that could take months to recover from fully,” the researchers said.
The same threat actors also attempted to install legitimate remote access software called TeamViewer and used an obfuscated version of the Mimikatz credential-stealing tool to steal more network credentials of the compromised servers.
Though researchers haven’t disclosed names of any targeted organizations, they did confirm that there are two versions of Zerocleare that have been seen in the wild, one for each Windows architecture (32-bit and 64-bit), but only the 64-bit works.
According to the researchers, the ZeroCleare attacks are not opportunistic and appear to be targeted operations against specific sectors and organizations.
“X-Force IRIS has been following a marked increase in destructive attacks in the past year, having logged a whopping 200 percent increase in the amount of destructive attacks in the past six months,” the researchers said.
“Looking at the geographical region hit by the ZeroCleare malware, it is not the first time the Middle East has seen destructive attacks target its energy sector.”
Iranian Links
ZeroCleare is likely the work of Iran-based nation-state adversaries, according to researchers – specifically, APT34 (a.k.a. OilRig or ITG13).
APT34 likely also collaborated on the destructive portion of the ZeroCleare attack with at least one other group, researchers found.
“X-Force IRIS’s assessment is based on ITG13’s traditional mission, which has not included executing destructive cyberattacks in the past, the gap in time between the initial access facilitated by ITG13 and the last stage of the intrusion, as well as the different [tactics, techniques and procedures] our team observed,” the firm said.
More specifically, for initial access, the IP address 193.111.152[.]13, which is associated with recent APT34 efforts, was used to scan target networks and access accounts in the first phase of the attack.
In later phases, another IP address joined the fray, 194.187.249[.]103, which is adjacent to another IP address, 194.187.249[.]102.
“The latter was used several months prior to the attack by the threat actor Hive0081 (a.k.a. xHunt),” IRIS noted.
Threatpost has reached out to IRIS for more details on the targets and result of the ZeroCleare attack.
Destructive Attacks on the Rise
Wiper attacks – which focus on destroying infrastructure and disrupting operations rather than on data exfiltration – have been on the rise in 2019, with IRIS observing a 200-percent increase in their telemetry over the past six months.
“The destructive attacks we have seen are being carried out by threat actors of varying motivations who could be employing destructive components in their attacks,” according to the analysis.
“Some pressure victims to pay them, others counterblow when they are not paid.
When these attacks are carried out by nation-state adversaries, they often have military objectives that can include accessing systems to deny access to, degrade, disrupt, deceive or destroy devices and/or data.”
Essentially, these types of attacks can be carried out in lieu of conventional military tactics, IRIS said.
“It presents Iran, in this case, with a low-cost and potentially nonattributable means of conducting hostile and even warlike activities,” according to the analysis.
“With attribution to one specific group becoming a challenge nowadays, working under the cyber cloak of anonymity can also allow Iran to evade sanctions and preserve its relations with international players who may support its economic and nuclear energy interests.”
Infection Flow Basics
As the facilitator of the endgame of the attack, the ZeroCleare wiper is part of the final stage of the overall operation.
It is designed to deploy two different ways adapted to 32-bit and 64-bit systems.
The general flow of events on 64-bit machines includes using a vulnerable, signed driver and then exploiting it on the target device to allow ZeroCleare to bypass the Windows hardware abstraction layer and avoid some operating system safeguards that prevent unsigned drivers from running on 64-bit machines.
This workaround has likely been used because 64-bit Windows-based devices are protected with Driver Signature Enforcement (DSE).
This control is designed to only allow drivers which have been signed by Microsoft to run on the device. Since ZeroCleare relies on the EldoS RawDisk driver, which is not a signed driver and would therefore not run by default, the attackers use an intermediary file named soy.exe to perform the workaround.
They load a vulnerable but signed VBoxDrv driver, which the DSE accepts and runs, and then exploit it to load the unsigned driver, thereby avoiding DSE rejection of the EldoS driver.
Once loaded, the vulnerable VBoxDrv driver is exploited to run shellcode on the kernel level. Post-exploitation, the driver is used to load the unsigned EldoS driver and proceed to the disk wiping phase.
Having analyzed soy.exe, we determined it was a modified version of the Turla Driver Loader (TDL), which is used to facilitate that very DSE bypass.
The same process does not apply to the 32-bit systems as they do not limit running unsigned drivers in the same manner.
The following table lists the files we analyzed as part of what enabled attackers to infect devices with ZeroCleare and spread through compromised networks.
| Index | File Name | Category | File Hash | Parent |
| 1 | ClientUpdate.exe (x64) | Wiper | 1a69a02b0cd10b1764521fec4b7376c9 | ClientUpdate.ps1 |
| 2 | ClientUpdate.exe (x86) | Wiper | 33f98b613b331b49e272512274669844 | ClientUpdate.ps1 |
| 3 | elrawdsk.sys (x86) | Tool | 69b0cec55e4df899e649fa00c2979661 | ClientUpdate.ps1 |
| 4 | soy.exe | Loader | 1ef610b1f9646063f96ad880aad9569d | ClientUpdate.ps1 |
| 5 | elrawdsk.sys (x64) | Tool | 993e9cb95301126debdea7dd66b9e121 | soy.exe |
| 6 | saddrv.sys | Tool | eaea9ccb40c82af8f3867cd0f4dd5e9d | soy.exe |
| 7 | ClientUpdate.txt | PowerShell Script | 1dbf3e9c84a89512a52da5b0bb682460 | N/A |
| 8 | ClientUpdate.ps1 | PowerShell Script | 08dc0073537b588d40deda1f31893c52 | N/A |
| 9 | cu.bat | Batch Script | Hash depends on specific deployment | N/A |
| 10 | v.bat | Batch Script | Hash depends on specific deployment | N/A |
| 11 | 1.bat | Batch Script | Hash depends on specific deployment | N/A |
| 12 | 2.bat | Batch Script | Hash depends on specific deployment | N/A |
| 13 | 3.bat | Batch Script | Hash depends on specific deployment | N/A |
| 14 | 4.bat | Batch Script | Hash depends on specific deployment | N/A |
| 15 | 5.bat | Batch Script | Hash depends on specific deployment | N/A |
Table 1: ZeroCleare attacks: malware and supporting files
The following are some overarching notes regarding the file list:
- The PowerShell and batch scripts analyzed were designed to spread and execute the ZeroCleare malware across the domain.
- The main PowerShell script, ClientUpdate.ps1 spreads itself to Domain Controllers (DC), and then from those severs. It uses the Active Directory PowerShell module GetADComputer cmdlet to identify lists of target devices to copy and execute the malware on.
- The Batch scripts support spreading the malware but work in a more simplistic manner using premade text files that contain hostnames to infect, rather than generating the lists themselves.
- that the ZeroCleare Wiper’s executable itself, delivered in a file named ClientUpdate.exe, ran with a legitimate license key for EldoS RawDisk driver.
File #1: ClientUpdate.exe (x64) – aka ZeroCleare
| File name | Type | MD5 | Compiled |
| ClientUpdate.exe (x64) | 64-bit Windows binary | 1a69a02b0cd10b1764521fec4b7376c9 | 15 Jun 2019, 10:47:12 |
This file was identified as the new wiper that was deployed in destructive attacks to damage Windows-based devices. It was named ZeroCleare by IRIS per the file path of its PDB file.
As mentioned earlier in this paper, ZeroCleare relies on the legitimate EldoS RawDisk driver that was previously used in Shamoon attacks to access and wipe the hard drive directly. Using this driver, which is an inherently legitimate tool, allows ZeroCleare attackers to bypass the Windows hardware abstraction layer and avoid the OS safeguards.
To install the EldoS RawDisk driver, ZeroCleare uses another binary, Soy.exe, to load the driver on the targeted device and activate it.
X-Force IRIS analyzed Soy.exe and found that it is a modified version of the Turla Driver Loader (TDL), which is designed to bypass x64 Windows Driver Signature Enforcement. The TDL application works by first installing a legitimate but vulnerable, signed, VirtualBox driver, vboxdrv.sys (in this case it is named saddrv.sys). Once loaded, this vulnerable driver can be exploited to run shellcode at the kernel level, which in this case is used to load the unsigned EldoS driver.
ClientUpdate.exe executes soy.exe via the following command line:
cmd.exe /c soy.exe
In order to activate the disk management driver, the malware needed to open a file handle via a unique filename using the logical drive (For example, C:\). The file name’s format requested by function CreateFileW must start with # followed by the license key issued to the developer by EldoS.
We have observed ZeroCleare attempt to open the following filename:
\\?\ElRawDisk\??\(physicaldrive):#b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d
b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d
The license key was:
It could be a temporary license key or one that was
stolen from someone else. Various information stealing malware can obtain
license keys from infected systems.
The ClientUpdate.exe (x64) wiping function creates a buffer of random bytes and uses function DeviceIoControl to send the buffer to the RawDisk driver to write data to the disk and wipe the victim’s hard drives. Similar to what the Shamoon malware does, this would overwrite the MBR, partitions, and files on the system with random junk data.
The sample was observed to contain the following PDB string:
C:\Users\Developer\source\repos\ZeroCleare\x64\Release\zeroclear.pdb
