/?pid=21336

Updated:03:26 AM EST Nov 30
this is ggmania.com subsite

NEWS
rss feed 
 
top 100
archive
ARTICLES
CD/DVD tools
Free Antivir
Security
Drivers
Utilities
FORUMS
LINKS


(C) 2006-2025 TechAmok Independent
All Rights Reserved.


 
 New Iranian wiper (malware) discovered - TechAmok

New Iranian wiper (malware) discovered - [security]
04:27 PM EST - Dec,04 2019 - post a comment

IBM X-Force, the company's security unit, has published a report of a new form of "wiper" malware connected to threat groups in Iran and used in a destructive attack against companies in the Middle East. The sample was discovered in a response to an attack on what an IBM spokesperson described as "a new environment in the [Middle East]-not in Saudi Arabia, but another regional rival of Iran." Dubbed ZeroCleare, the malware is "a likely collaboration between Iranian state-sponsored groups," according to a report by IBM X-Force researchers. The attacks were targeted against specific organizations and used brute-force password attacks to gain access to network resources. The initial phase of the attacks was launched from Amsterdam IP addresses owned by a group tied to what IBM refers to as the "ITG13 Group"-also known as "Oilrig" and APT34. Another Iranian threat group may have used the same addresses to access accounts prior to the wiper campaign. In addition to brute force attacks on network accounts, the attackers exploited a SharePoint vulnerability to drop web shells on a SharePoint server. These included China Chopper, Tunna, and another Active Server Pages-based webshell named "extensions.aspx," which "shared similarities with the ITG13 tool known as TWOFACE/SEASHARPEE," the IBM researchers reported. They also attempted to install TeamViewer remote access software and used a modified version of the Mimikatz credential-stealing tool-obfuscated to hide its intent-to steal more network credentials off the compromised servers. From there, they moved out across the network to spread the ZeroCleare malware.

ZeroCleare, like the Shamoon wiper, uses the legitimate RawDisk software driver from EldoS to gain direct access to disk drives and write data. Since the EldoS driver is not signed, however, ZeroCleare uses a vulnerable but signed driver from a version of Oracle's VirtualBox virtual machine software to bypass signature checking of the driver-allowing it to attack 64-bit versions of Windows. The VBoxDrv driver, which passes Microsoft's Driver Signature enforcement, is loaded by an intermediary executable-in the IBM X-Force detected cases, the file was named soy.exe. After loading the vulnerable VirtualBox driver, the malware exploits a bug in the driver to load the unsigned EldoS driver. On 32-bit Windows systems, which lack Driver Signature Enforcement, the malware can dispense with the workaround and run the EldoS driver directly. The payload of the malware is called ClientUpdate.exe. Using the EldoS driver, it overwrites the Master Boot Record and disk partitions of the infected machine.


Add your comment (free registrationrequired)

Short overview of recent news articles

Nov,30 2025 Top 5 Best CPUs of 2025
Nov,30 2025 Google Adding AirDrop to Android
Nov,29 2025 20 TOP ALIEXPRESS products for BLACK FRIDAY
Nov,26 2025 Stop Wasting Money on Premium Monitors
Nov,23 2025 The Blackest Friday - Tech News Nov 23
Nov,23 2025 T-Roc: Will this new VW be the best car of 2026?
Nov,23 2025 Can I build my own Steam Machine?
Nov,22 2025 50 NEXT-LEVEL Gadgets Every Man NEEDS to See
Nov,22 2025 RETURN TO SILENT HILL Trailer (2026)
Nov,20 2025 I was WRONG about the Porsche 911 GT3 (or was I?)
Nov,20 2025 Pi GPT Tool Turns Raspberry Pi into a ChatGPT-Powered Smart Device
Nov,17 2025 Rainbow Six Siege X - Official 'Team Rainbow's Last Mission'
Nov,17 2025 Stranger Things Seasons 1-4 Recap
Nov,16 2025 Kill Bill: The Whole Bloody Affair - Official Trailer (2025) Uma
Nov,15 2025 The Devil Wears Prada 2 - Official Teaser Trailer (2026) Meryl
Nov,15 2025 Valve’s New Console and Controller - STEAM Machine & STEAM
Nov,15 2025 Valve Steam Machine, Desktop SteamOS, Steam Frame VR, & Controller |
Nov,01 2025 Battlefield REDSEC - Official Live-Action Trailer
Nov,01 2025 What's the Best PC Upgrade (besides CPU/GPU)?
Oct,31 2025 Directive 8020 - RTX On Trailer
Oct,30 2025 Stranger Things 5 - Official Trailer
Oct,29 2025 AMD Releases Software Adrenalin Edition 25.10.2 WHQL Drivers
Oct,29 2025 Exploding AMD CPUs | Investigating ASRock's Murderboards
Oct,29 2025 Setting Up Our First Huge Gaming Event was CHAOS
Oct,27 2025 Malware of the Future: What an infected system looks like in 2025
Oct,27 2025 F1: Race Highlights | 2025 Mexico City Grand Prix
Oct,26 2025 F1: Qualifying Highlights | 2025 Mexico City Grand Prix
Oct,25 2025 New Big Windows 11 25H2 October Update - New Taskbar Battery Icons
Oct,25 2025 Apple Prepping 'Transfer to Android' Feature, Including 3rd-Party
Oct,24 2025 HW News - RIP Internet, RAM Prices Skyrocket from AI Demand, Intel
Oct,21 2025 Retro Gaming PC Upgrades go WRONG!
Oct,21 2025 How social media has ruined us - the more time you spend online, the
Oct,20 2025 FERRARI 12 CILINDRI // 340KMH REVIEW on AUTOBAHN
Oct,20 2025 ROG Xbox Ally X - a PC Gamer's Perspective
Oct,20 2025 Race Highlights | 2025 United States Grand Prix
Oct,18 2025 RedMagic Puts Liquid Cooling in its New Gaming Phone
Oct,18 2025 Russia Says U.S. Is Planning a $37 Trillion Crypto Reset
Oct,18 2025 Tor Browser says no to Firefox's AI features as it removes them
Oct,14 2025 NVIDIA GeForce 581.57 WHQL Driver
Oct,13 2025 Samsung One UI 8.5 vs iOS 26 - COMPARISON
>> News Archive <<

TechAmok - Privacy Policy        loading time:0.01secs