IBM X-Force has been researching and tracking destructive malware in the Middle East for some time now, particularly in the industrial and energy sectors. Since the first Shamoon attacks that started impacting organizations in the region in the summer of 2012, we have been following the evolution of destructive, disk-wiping malware deployed to cause disruption.
In a recent analysis, X-Force Incident Response and Intelligence Services (IRIS) discovered new malware from the wiper class, used in a destructive attack in the Middle East. We named this malware “ZeroCleare” per the program database (PDB) pathname of its binary file. To date, X-Force IRIS has not found any previous reporting on the ZeroCleare wiper, its indicators or elements observed in this campaign. It is possible that it is a recently developed malware and that the campaign we analyzed is one of the first to use this version.
According to our investigation, ZeroCleare was used to execute a destructive attack that affected organizations in the energy and industrial sectors in the Middle East. Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation-state adversaries were involved to develop and deploy this new wiper.
Given the evolution of destructive malware targeting organizations in the region, we were not surprised to find that ZeroCleare bears some similarity to the Shamoon malware. Taking a page out of the Shamoon playbook, ZeroCleare aims to overwrite the master boot record (MBR) and disk partitions on Windows-based machines. As Shamoon did before it, the tool of choice in the attacks is Eld ..
Support the originator by clicking the read the rest link below.
