tr

Updated:06:35 AM EDT Mar 29


this is ggmania.com subsite New Iranian wiper (malware) discovered - TechAmok

New Iranian wiper (malware) discovered - [security]
04:27 PM EST - Dec,04 2019 - post a comment

IBM X-Force, the company's security unit, has published a report of a new form of "wiper" malware connected to threat groups in Iran and used in a destructive attack against companies in the Middle East. The sample was discovered in a response to an attack on what an IBM spokesperson described as "a new environment in the [Middle East]-not in Saudi Arabia, but another regional rival of Iran." Dubbed ZeroCleare, the malware is "a likely collaboration between Iranian state-sponsored groups," according to a report by IBM X-Force researchers. The attacks were targeted against specific organizations and used brute-force password attacks to gain access to network resources. The initial phase of the attacks was launched from Amsterdam IP addresses owned by a group tied to what IBM refers to as the "ITG13 Group"-also known as "Oilrig" and APT34. Another Iranian threat group may have used the same addresses to access accounts prior to the wiper campaign. In addition to brute force attacks on network accounts, the attackers exploited a SharePoint vulnerability to drop web shells on a SharePoint server. These included China Chopper, Tunna, and another Active Server Pages-based webshell named "extensions.aspx," which "shared similarities with the ITG13 tool known as TWOFACE/SEASHARPEE," the IBM researchers reported. They also attempted to install TeamViewer remote access software and used a modified version of the Mimikatz credential-stealing tool-obfuscated to hide its intent-to steal more network credentials off the compromised servers. From there, they moved out across the network to spread the ZeroCleare malware.

ZeroCleare, like the Shamoon wiper, uses the legitimate RawDisk software driver from EldoS to gain direct access to disk drives and write data. Since the EldoS driver is not signed, however, ZeroCleare uses a vulnerable but signed driver from a version of Oracle's VirtualBox virtual machine software to bypass signature checking of the driver-allowing it to attack 64-bit versions of Windows. The VBoxDrv driver, which passes Microsoft's Driver Signature enforcement, is loaded by an intermediary executable-in the IBM X-Force detected cases, the file was named soy.exe. After loading the vulnerable VirtualBox driver, the malware exploits a bug in the driver to load the unsigned EldoS driver. On 32-bit Windows systems, which lack Driver Signature Enforcement, the malware can dispense with the workaround and run the EldoS driver directly. The payload of the malware is called ClientUpdate.exe. Using the EldoS driver, it overwrites the Master Boot Record and disk partitions of the infected machine.

Short overview of recent news articles

The best pics on the Internet #273
What It's Like Inside The Hospital At The Epicenter Of New York
COVID-19 Pop Culture Mash Up
Spring Break vs. COVID19: The Real Impact of Ignoring Social
Honor MagicBook 14 Unboxing and first impressions
Neural Network Technology Flawlessly Blend 2D Images Into 3D Scenes
FIJI Tiger Shark Attack 2019 angle 3
Samsung Bringing S20 Camera Features to S10 and Note10
How This Guy Balances Impossible Rock Structure
20 Easy Experiments in 5 mins for Bored Adults and Kids at School
Samsung Discounts Galaxy S20 5G, S20 Plus by $200
Verizon Adds 15GB of Data for All Consumers, Small Businesses
Apple App Store Now Supports Single Purchase for Both iOS & macOS
Instagram Launches "Co-Watching" Via Video Chat
YouTube videos will default to standard definition
New GeForce 445.75 Game Ready Drivers
DOOM Eternal - 26 Graphics Cards Compared
Visualization of air spread when coughing
How Will Summer Really Impact Coronavirus?
How To See Germs Spread (Coronavirus)
Reducing Hole for the Cat. When will he stop?
INHERITANCE Official Trailer (2020) Lily Collins, Simon Pegg
What Coronavirus Symptoms Look Like, Day By Day
T-Mobile, Verizon, Sprint, AT&T Temporarily Closing Stores
Satellite in Orbit Transmits Directly to a Standard Mobile Phone on
Nokia 5.3 Offers Quad Rear Cameras for $200
Nokia Unveils its First 5G Phone, Supporting 12 5G Bands
NVIDIA Releases GeForce 442.74 Game Ready Drivers
AMD Releases Radeon Software Adrenalin 20.3.1 Drivers
LG V60 Launches Friday Starting at $800
T-Mobile, Verizon, Sprint Temporarily Closing Many Retail Locations
Complete Hardware Specs Sheet of Xbox Series X
Marvel Duel to launch closed beta test on March 19
Too Kyo Games announces original TV anime Akudama Drive
Zorin OS 15.2 Core Review
Lend your gaming PC to help fight Coronavirus
Microsoft Patches Critical SMBv3 Protocol Vulnerability
Joe Rogan Experience #1439 - Michael Osterholm
Solving The Internet's Oldest Mystery
How a Little Shark Destroyed the US Navy
TSMC to Kickstart 5 nm Volume Production in April
Intel Processors Hit with LVI Security Vulnerabilities
Pricing for Intel's Upcoming 10th Gen Comet Lake CPU Lineup Leaked?
E3 2020 will be most likely cancelled
NVIDIA Releases GeForce 442.59 WHQL Game Ready Drivers
Intel Core i5-10400 Pictured and Detailed
Mortal Kombat Legends: Scorpion's Revenge - Red Band Trailer
1 Billion Active Android Devices Are At Risk Of Being Hacked
Researchers Find Unfixable Vulnerability Inside Intel CPUs
Stopping A Laser Beam In Mid-Air
>> News Archive <<

TechAmok - Privacy Policy        loading time:0secs