A new, destructive strain of malware that shares some similarities with the infamous Shamoon wiper malware has surfaced as part of a recent targeted attack campaign that targeted companies in the energy sector in the Middle East. The malware has the ability to completely destroy data on compromised machines and researchers say it appears to be the product of an Iranian attack team that may be collaborating with a separate Iranian group to deploy it.
The newly uncovered wiper malware is known as ZeroCleare and researchers with IBM’s X-Force team discovered it while investigating recent destructive attacks in the Middle East. The attacks focused on energy companies and ZeroCleare was used as the last stage of a long infection and lateral movement chain inside the target networks. The malware overwrites the master boot record (MBR) and partitions on compromised Windows machines, the same kind of behavior that Shamoon exhibited in attacks on oil companies dating back to 2012. Though Shamoon and ZeroCleare have similar capabilities and behaviors, the X-Force researchers say the two are separate and distinct pieces of malware.
Shamoon has been used in several different campaigns over the years, with most of them targeting energy companies, specifically those in Saudi Arabia. The most destructive of Shamoon’s attacks was the intrusion at Saudi Aramco in 2012, an attack that destroyed the data of about 35,000 workstations. Shamoon has resurfaced in a handful of other incidents since then, and other wiper malware variants have emerged in that time, as well.
ZeroCleare appears to be a separate piece of malware from Shamoon and the X-Force team believes that Iranian attack teams are responsible for its development and use. But the development and deployment may have been the work of separate groups, one of which is likely the team known as OilRig, which IBM calls ITG13.
“According to our investigation, ZeroCleare was used to execute a destructive attack that affected organizations in the energy and industrial sectors in the Middle East. Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation-state adversaries were involved to develop and deploy this new wiper,” said Limor Kessem, a security researcher and executive security advisor at IBM.
“X-Force IRIS assesses that the ZeroCleare campaign included compromise and access by actors from the ITG13 group and at least one additional group, likely Iran-based threat actors.”
The ZeroCleare attacks began with the attackers scanning a target network and then gaining an initial foothold. Once on a machine, the attackers use a series of different drivers in order to eventually execute the destructive payload. The first driver in this chain is called soy.exe and is a modified version of the Turla driver loader. That driver is then used to load a vulnerable version of the VirtualBox driver, which the attackers exploit to load the EldoS RawDisk driver. RawDisk is a legitimate utility used for interacting with files and partitions, and it was also used by the Shamoon attackers to access the MBR.
“The key role oil and gas production and processing play on both the national and global level represents a high-value target for state-sponsored adversarial actors."
“The file soy.exe had a special role in the overall kill chain of ZeroCleare attacks as it was necessary for the initial bypass of Windows OS controls. This file was identified as a customized version of the Turla Driver Loader (TDL), which is a driver loader application designed for bypassing Windows x64 Driver Signature Enforcement (DSE). DSE is a protective feature that was introduced in 64-bit versions of Windows 8 and 10, to prevent the loading of drivers unsigned by Microsoft,” the X-Force technical analysis paper says.
“TDL works by first loading a legitimate, Microsoft-signed, VirtualBox VBoxDrv driver. However, a vulnerable version of the driver is intentionally used, and TDL can then exploit the vulnerability to run kernel-level shellcode and ultimately load other, unsigned drivers.”
In the ZeroCleare campaign, the attackers used the RawDisk driver to run the wiper payload. During the course of the exploitation and lateral movement phases of the intrusions, the attackers used a number of tactics, including brute-forcing account passwords and exploiting a vulnerability in SharePoint.
“Using EldoS RawDisk with malicious intent enabled ZeroCleare’s operators to wipe the MBR and damage disk partitions on a large number of networked devices. To gain access to the device’s core, ZeroCleare used an intentionally vulnerable driver and malicious PowerShell/Batch scripts to bypass Windows controls. Adding these living-off-the-land tactics to the scheme, ZeroCleare was spread to numerous devices on the affected network, sowing the seeds of a destructive attack that could affect thousands of devices and cause disruption that could take months to fully recover from,” Kessem said.
Though many of the APT campaigns that researchers expose are focused on cyberespionage, some of the same groups run destructive operations, as well. Historically, many of these operations have happened in the Middle East and have focused on energy companies and production facilities, which are vital national assets.
“The key role oil and gas production and processing play on both the national and global level represents a high-value target for state-sponsored adversarial actors. These types of attackers may be tasked with conducting anything from industrial espionage to cyber kinetic attacks designed to disrupt the critical infrastructure of rival nations,” Kessem said.