Oil be damned: Iran-based crooks flinging malware at Middle Eastern energy plants again – research

ZeroCleare wipes up where Shamoon left off


An Iran-based hacking crew long known to target energy facilities in neighboring Middle Eastern countries is believed to be launching new attacks.

The team at IBM's X-Force said an actively spreading malware package dubbed ZeroCleare looks to be in part the work of APT34, a hacking crew commonly accepted to be operating out of Iran.

According to researchers, APT34 and another crew from Iran have been using poisoned VPN nodes to get onto machines located at energy facilities in the region. In at least one case so far, they were successful.

"The attack timeline may have begun as early as Autumn of 2018 with reconnaissance scanning from various low-cost/free VPN providers and gaining access to one of the accounts that was later involved in the attack," the X-Force report reads.

"Then, in the Summer of 2019, the attackers used a password spray from a system on the local network to gain access to additional accounts, install ASPX webshells, and gain domain administration privileges."

From there, the attackers deployed a new tool: a wiper infection known as ZeroCleare. The infection was spread across the network and then activated, destroying data on the disks of all infected machines.

"The ZeroCleare disk wiper malware had both x86 and x64 versions to execute across 32-bit and 64-bit operating systems," the X-Force team explained.

"Interestingly, this malware incorporated the Eldos RawDisk driver, which was previously used in each of the Shamoon attacks, reportedly perpetrated by Iranian-linked threat actors."

Given the nature of the targets and the similarities between ZeroCleare and Shamoon, it was easy for researchers to draw the connection between this attack and previous operations carried out by APT34 against oil refineries, government offices and other high-value targets in Saudi Arabia and other nearby countries.

While there don't currently appear to be any reports of the malware spreading outside of the region, the destructiveness of the nasty infection would merit all admins making a quick check for updates in AV definitions as well as apps and systems versions in their environment. X-Force listed the so-called Indicators of Compromise here. ®


Biting the hand that feeds IT © 1998–2020