IBM X-Force, the company's security unit, has published a report of a new form of "wiper" malware connected to threat groups in Iran and used in a destructive attack against companies in the Middle East. The sample was discovered in a response to an attack on what an IBM spokesperson described as "a new environment in the [Middle East]-not in Saudi Arabia, but another regional rival of Iran." Dubbed ZeroCleare, the malware is "a likely collaboration between Iranian state-sponsored groups," according to a report by IBM X-Force researchers. The attacks were targeted against specific organizations and used brute-force password attacks to gain access to network resources. The initial phase of the attacks was launched from Amsterdam IP addresses owned by a group tied to what IBM refers to as the "ITG13 Group"-also known as "Oilrig" and APT34. Another Iranian threat group may have used the same addresses to access accounts prior to the wiper campaign. In addition to brute force attacks on network accounts, the attackers exploited a SharePoint vulnerability to drop web shells on a SharePoint server. These included China Chopper
, and another Active Server Pages-based webshell named "extensions.aspx," which "shared similarities with the ITG13 tool known as TWOFACE/SEASHARPEE
," the IBM researchers reported. They also attempted to install TeamViewer remote access software and used a modified version of the Mimikatz credential-stealing tool-obfuscated to hide its intent-to steal more network credentials off the compromised servers. From there, they moved out across the network to spread the ZeroCleare malware.
ZeroCleare, like the Shamoon wiper, uses the legitimate RawDisk software driver from EldoS to gain direct access to disk drives and write data. Since the EldoS driver is not signed, however, ZeroCleare uses a vulnerable but signed driver from a version of Oracle's VirtualBox virtual machine software to bypass signature checking of the driver-allowing it to attack 64-bit versions of Windows. The VBoxDrv driver, which passes Microsoft's Driver Signature enforcement, is loaded by an intermediary executable-in the IBM X-Force detected cases, the file was named soy.exe. After loading the vulnerable VirtualBox driver, the malware exploits a bug in the driver to load the unsigned EldoS driver. On 32-bit Windows systems, which lack Driver Signature Enforcement, the malware can dispense with the workaround and run the EldoS driver directly. The payload of the malware is called ClientUpdate.exe. Using the EldoS driver, it overwrites the Master Boot Record and disk partitions of the infected machine.