In pursuit of gaining dominance over each other, countries with heavy arms and technology shall always win. And one such is here; malware attackings on each others resources. IBM security researchers X-Force has detected a new malware that’s being disseminated by attackers from Iran to erase data from systems. It’s clearly explained below. Just as other past wipers, IBM said this would be deployed to erase confidential information from systems. The aim of such malwares is to hinder the business operations of victims to mask any intrusions caused. IBM did not specify what those infected energy companies are. It further revealed that there are two versions of this malware created; one for 32-bit and another of 64-bit systems. Only the latter was said to be operational currently.
Workflow
This malware, at first, tries a brute-force attack into vulnerable systems and if succeeded, shall exploit SharePoint vulnerability to install web shells. Once entered, they shall spread across the entire network with exploiting the vulnerable drivers and installing PowerShell/Batch scripts that could bypass Windows controls.
WorkflowThe State-Backed GroupsResembling Shamoon
After settling, it would then load a legitimate toolkit as EldoS RawDisk to interact with files, disks, and partitions. This access is further used to wipe the MBR and damage disk partitions on a large number of networked devices.
The State-Backed Groups
IBM detailed in its report as this malware deployment is carried out by two Iran state-owned hacking groups; xHunt and APT34. It said, “Based on the analysis of the malware and the attackers’ behaviour, we suspect Iran-based nation-state adversaries were involved to develop and deploy this new wiper” as in their reports. It confirms that it’s a brainchild of xHunt and APT34.
Resembling Shamoon
This new malware is said to be resembling closely to Shamoon, which is one of such kind malware that succeeded in wiping out data in past. ZeroCleare’s modus operandi and targets are just as Shamoon’s, as it too had attacked energy based companies from Saudi Arabia in past. While Shamoon was carried out by Iran state-backed APT33 group, this was carried by new ones. IBM initially reported that some (maybe more) of APT33’s team could be involved in this new case, but later clarified of the new team as xHunt and APT34.