New Highly Destructive Wiper Malware Variant Detected

A new wiper malware has been detected by security researchers at IBM X-Force which is being used in attacks on energy companies and industrial firms in the Middle East. The malware is believed to have been created by two threat groups in Iran that are known to have links to the Iranian government, APT34 and xHunt.

The malware, named ZeroCleare, is being used in targeted attacks against specific organizations according to the researchers. It is being deployed in a multi-stage attack that is designed to inflict maximum damage.

The final wiper payload is named ClientUpdate.exe and directly wipes the hard disk using the EldoS RawDisk driver, which was used in the Shamoon attacks on the Saudi Arabian oil company, Aramco. AS with Shamoon, the malware wipes both the master boot record and the disk partitions on Windows devices.

Since the EldoS RawDisk driver is a legitimate tool it is not detected as malicious, allowing the attackers to wipe the hard disk undetected. Two forms of the malware have been detected, one is a 32-bit version and the other a 64-bit version, although only the latter appears to work.

The attackers are gaining access to networks and are moving laterally using living-of-the-land tactics to avoid detection. They gain access to multiple network accounts to spread the malware to as many devices as possible. This allows them to inflict maximum damage.

These highly destructive attacks are becoming much more common. There has been a 200% increase in these destructive attacks between the first half of 2018 and the first half of 2019, according to IBM X-Force.

The cost of attacks such as this are colossal and it can take companies many months to recover. Figures from IBM X-Force indicate attacks of this nature typically wipe around 12,000 computers. The attack on Aramco saw 30,000 computers wiped. It takes an average of 512 hours for incident response teams to mitigate the attack, although in many cases it can take considerably longer. These cyberattacks are also hugely expensive, costing the attacked company an average of $239 million.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news