IBM cybersecurity division X-Force Incident Response and Intelligence Services reports that it has discovered ZeroCleare, a new data erasure malware targeting the Middle East energy industry and more. According to the team, ZeroClear appears to have been created by a group of hackers with Iranian support.
Until now, no evidence of attack using zero clear has been found. Accordingly, Xforce Iris is pointing out the possibility that Zero Clear is a recently developed malicious code. The target of ZeroClear appears to be in the Middle East energy industry sector, and through malicious code analysis, it appears that ZeroClear appears to be associated with APT-34, a group of hackers who appear to be supported by Iran. Zero Clear is said to have a high degree of similarity to the malware called Shamoon, which destroyed more than 30,000 computers in Saudi Arabia alone in 2012 targeting oil and gas companies.
Like Shamoon, Zero Clear overwrites and attacks the master boot record MBR and disk partition of a Windows-equipped PC. The attack targets the hard disk driver (RawDisk by ElDos). According to the security team, a group of hackers receiving state support often abuse methods that are not assumed by vendors that supply legitimate tools.
Zero Clear breaks through an attack in which the network account password is first brute-forced to access the target device, and then, like China Chopper, a raw disk that is not signed by installing a web shell on the target device is signed, but is vulnerable Use the Oracle VirtualBox driver to prevent the signature verification mechanism and run an unsigned raw disk driver. In this way, zero clear spreads to computers connected to networks that have broken passwords, and can affect thousands of computers.
The same attacker is also attempting to install TeamViewer, a legitimate remote access software. As a springboard, it uses software known as a credential theft tool (Mimikatz) and steals more network credentials from compromised servers. The security team argues that Zero Clear targets specific sectors or organizations. However, the name of the targeted organization was not disclosed. Related information can be found here .
Add comment