Threat actors believed to be operating out of Iran are once again targeting energy and industrial-sector organizations in the Middle East with a destructive disk-wiping malware similar to "Shamoon," which destroyed more than 35,000 Windows systems at Saudi Aramco a few years ago.
Researchers from IBM's X-Force team who have been tracking the new malware have dubbed the malware "ZeroCleare." In a report this week, the vendor described ZeroCleare as similar to Shamoon in some ways, but sufficiently different enough from it in other ways to be considered a completely new threat.
"Our reverse engineers performed a comparative analysis of the two attacks, which showed that they do not appear to be related at a code level," says Limor Kessem, global executive security adviser at IBM.
As with Shamoon, the new malware is designed to overwrite the master boot record (MBR) and disk partitions on Windows systems. Also like its predecessor, ZeroCleare uses EldoS RawDisk, a legitimate toolkit, to carry out its mission. MITRE describes EldoS as a driver for interacting with files, disks, and partitions. It allows users to circumvent Windows OS security features and directly modify data on a computer, making it attractive to attackers.
Available evidence suggests that ITG13, a threat group also known as APT34/OilRig, and at least one other Iran-based group is behind the attacks. ITG13's mission appears to be to enable initial access to targeted systems. One or more other Iran-based groups have then been deploying the disk-wiping ZeroCleare on them. The attacks appear to be targeted and designed specifically to disrupt operations at critical infrastructure organizations in multiple Middle East countries.
Kessem says there are a variety of reasons why nation-states might want to target the natural resource infrastructure of another country. "The repercussions of attacks on the oil industry specifically span issues related to money, trading, transportation, and geo-political tension that could be building up in a region," she says.
Kessem estimates the ZeroCleare attacks have impacted thousands of devices in the oil and gas sector in the Middle East. "We don't know the exact number of organizations that were impacted," Kessem says. "However, we do know that at least 1,400 hosts were affected by ZeroCleare."
Shamoon, which first surfaced in 2012, is believed to have infected many more systems. The last time security researchers observed the malware being used was in December 2018, when it suddenly re-emerged after a two-year hiatus. Symantec and others that tracked the attacks described them as being targeted once again at Middle East organizations. The attacks involved a new wiper that deleted files from infected systems before Shamoon then wiped the master boot record.
A Multifaceted Threat
According to IBM, the new ZeroCleare threat is designed to work on both 32-bit and 64-bit Windows systems, but the manner in which it deploys on each is different.
Because 64-bit Windows systems only allow Microsoft-signed drivers to run on the device, the EldoS RawDisk driver, which is unsigned, cannot run on them by default. To overcome this obstacle, ZeroCleare first loads a signed, but vulnerable, driver on the targeted system and then exploits the vulnerability to load the unsigned EldoS driver, IBM said. Once installed, the RawDisk driver proceeds to wipe the master boot record clean.
Destructive attacks like ZeroCleare are growing, Kessem says. The number of cases that IBM has responded to, where disk-wiping and other destructive malware was involved, has jumped 200% in just the past six months, she says.
"These attacks can be launched to fulfill everything from financial gain to military objectives," Kessem notes. "The effects can be crippling, especially as attackers target specific sectors that countries heavily rely on."
Most destructive malware attacks so far have focused on organizations in the Middle East. Motivations have ranged from financial — pressuring victims to pay by threatening to wipe their systems clean — to the geo-political. Some nation-state campaigns, for instance, have had military objectives, such as denying access to critical systems, degrading or disrupting operational capabilities, and destroying devices and data, IBM said.
Significantly, these campaigns pose a threat to organizations in any country. "US organizations need to be cognitive of their security preparedness," Kessem says. This means testing incident response plans, reassessing access management controls, and ensuring proper data backup and recovery processes are in place.
In many of these attacks, threat actors have exploited weakly protected access credentials and privileged accounts to gain an initial foothold on a target network and to then expand their access on it. So controls such as multifactor authentication, strong passwords, and least-privileged access are critical, IBM said.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."