/?pid=21336

Updated:06:32 PM EDT Jul 28
this is ggmania.com subsite

NEWS
rss feed 
 
top 100
archive
ARTICLES
CD/DVD tools
Free Antivir
Security
Drivers
Utilities
FORUMS
LINKS


(C) 2006-2025 TechAmok Independent
All Rights Reserved.


 
 New Iranian wiper (malware) discovered - TechAmok

New Iranian wiper (malware) discovered - [security]
04:27 PM EST - Dec,04 2019 - post a comment

IBM X-Force, the company's security unit, has published a report of a new form of "wiper" malware connected to threat groups in Iran and used in a destructive attack against companies in the Middle East. The sample was discovered in a response to an attack on what an IBM spokesperson described as "a new environment in the [Middle East]-not in Saudi Arabia, but another regional rival of Iran." Dubbed ZeroCleare, the malware is "a likely collaboration between Iranian state-sponsored groups," according to a report by IBM X-Force researchers. The attacks were targeted against specific organizations and used brute-force password attacks to gain access to network resources. The initial phase of the attacks was launched from Amsterdam IP addresses owned by a group tied to what IBM refers to as the "ITG13 Group"-also known as "Oilrig" and APT34. Another Iranian threat group may have used the same addresses to access accounts prior to the wiper campaign. In addition to brute force attacks on network accounts, the attackers exploited a SharePoint vulnerability to drop web shells on a SharePoint server. These included China Chopper, Tunna, and another Active Server Pages-based webshell named "extensions.aspx," which "shared similarities with the ITG13 tool known as TWOFACE/SEASHARPEE," the IBM researchers reported. They also attempted to install TeamViewer remote access software and used a modified version of the Mimikatz credential-stealing tool-obfuscated to hide its intent-to steal more network credentials off the compromised servers. From there, they moved out across the network to spread the ZeroCleare malware.

ZeroCleare, like the Shamoon wiper, uses the legitimate RawDisk software driver from EldoS to gain direct access to disk drives and write data. Since the EldoS driver is not signed, however, ZeroCleare uses a vulnerable but signed driver from a version of Oracle's VirtualBox virtual machine software to bypass signature checking of the driver-allowing it to attack 64-bit versions of Windows. The VBoxDrv driver, which passes Microsoft's Driver Signature enforcement, is loaded by an intermediary executable-in the IBM X-Force detected cases, the file was named soy.exe. After loading the vulnerable VirtualBox driver, the malware exploits a bug in the driver to load the unsigned EldoS driver. On 32-bit Windows systems, which lack Driver Signature Enforcement, the malware can dispense with the workaround and run the EldoS driver directly. The payload of the malware is called ClientUpdate.exe. Using the EldoS driver, it overwrites the Master Boot Record and disk partitions of the infected machine.


Add your comment (free registrationrequired)

Short overview of recent news articles

Jul,28 2025 HW News - Gigabyte's Motherboard Mess, Linux Gains Market Share,
Jul,27 2025 Samsung Z Fold 7 Durability Test - The End is Near
Jul,27 2025 Silent Night, Deadly Night - Exclusive Trailer
Jul,27 2025 I Bought a Giant Video Wall on Craigslist!
Jul,26 2025 My Turn: Lamborghini Revuelto // Nurburgring
Jul,26 2025 F1: Qualifying Highlights | 2025 Belgian Grand Prix
Jul,26 2025 F1: Sprint Qualifying Highlights | 2025 Belgian Grand Prix
Jul,26 2025 I am biased against this laptop - Razer Blade 18
Jul,26 2025 PRISONER OF WAR - Official Trailer | Starring Scott Adkins | In
Jul,24 2025 Battlefield 6 reveal trailer
Jul,22 2025 Samsung Galaxy Z Fold 7 - Two Week Review
Jul,21 2025 Killer 4K 240Hz QD-OLED for just £750: MSI MPG 272URX
Jul,20 2025 LAMBORGHINI URUS *STAGE 1* // REVIEW on AUTOBAHN
Jul,20 2025 THE BEST VW GOLF GTI I've Driven! Proper ClubSport
Jul,19 2025 Intel Core Ultra 9 275HX vs AMD Ryzen 9 9955HX - Which CPU is Best?
Jul,18 2025 LAMBORGHINI REVUELTO V12 // 370KMH REVIEW on UNLIMITED AUTOBAHN!
Jul,18 2025 Mortal Kombat II - Official Trailer
Jul,17 2025 Stranger Things 5 - Official Teaser
Jul,14 2025 Google Is Selling Fake Products - WAN Show July 11, 2025
Jul,12 2025 Hacked by playing Call of Duty WW2 on Gamepass?
Jul,12 2025 2025 VW Golf GTE // TOP SPEED REVIEW on AUTOBAHN
Jul,11 2025 NEW Audi RS3 v cheapest used RS3: DRAG RACE
Jul,10 2025 A critical security vulnerability in Microsoft Remote Desktop Client
Jul,10 2025 Samsung Z Fold/Flip 7 Impressions: Major Upgrades!
Jul,08 2025 Gmail's latest feature helps you get rid of those pesky emails from
Jul,06 2025 I'm an idiot and still made top 5... here's how
Jul,05 2025 The Fantastic Four: First Steps - Official 'Lift Off' Teaser
Jul,04 2025 Samsung Galaxy Z Fold 7 - Hands on Look
Jul,04 2025 RTX 5070 Ti vs RTX 5080 - Is 5080 Gaming Laptop Worth More $$$?
Jul,04 2025 FIRST DRIVE: Praga Bohema - Crazy Hypercar Driven!
Jul,03 2025 Ballerina - Exclusive John Wick Deleted Scene (2025) Keanu Reeves,
Jul,03 2025 Call of Duty: WWII - Remote Code Execution Warning (PC Game Pass)
Jul,02 2025 1014HP Lamborghini REVUELTO 369KMH TOP SPEED POV on AUTOBAHN
Jul,01 2025 Nvidia Drivers (V 576.80 vs V 576.88) - Test In 12 Games - RTX 4060
Jun,30 2025 AMD Adrenalin 25.6.3 Driver Is Available
Jun,30 2025 NVIDIA GeForce RTX 5080 SUPER Could Feature 24 GB Memory, Increased
Jun,29 2025 Guess What Nvidia Did THIS Time
Jun,28 2025 The 10 Best Dinosaur Movies of All Time
Jun,28 2025 Microsoft officially confirms that Windows 11 version 25H2 is coming
Jun,26 2025 Eddington - Official Trailer 2 (2025) Joaquin Phoenix, Pedro Pascal
>> News Archive <<

TechAmok - Privacy Policy        loading time:0.01secs