ZeroCleare
ZeroCleare is a file-wiper Trojan or a threat that destroys the contents of your hard drive intentionally. Like most threats designed with a similar degree of professionalism, its deployment tends to come through state-sponsored attacks and target industries such as the energy sector. Practicing appropriate network security protocols will limit any attacks, and backups can mitigate damages, while various anti-malware services should delete ZeroCleare as they detect it.
How Hard Drives Turn into Big Zeroes
While many cyber-security companies avoid pointing fingers at national governments, some Trojan campaigns are too attributable to trace back to anyone other than a specific team of hackers clearly. A recent sample and network attack analysis coming through the IBM X-Force team shows that Iran is opening up to strategic hacking options against its perceived enemies on the world stage. Their suitably-devasting weapon is ZeroCleare, which is just as destructive as the notorious Shamoon or Disttrack.
Circumstantial details suggest that the responsible provocateurs consist of at least two groups, one of which is APT34 (or OilRig). Unlike previous campaigns that leverage social engineering and psychological manipulation, ZeroCleare's deployment uses brute-force techniques for breaking into accounts as a starting point for infecting the rest of the network. Along the way, the attackers used supporting threats like Mimikatz, a password collector, TeamViewer's remote admin software, and the China Chopper and Tunna Web shells.
ZeroCleare is the final stage of the attack and borrows Shamoon's methodology of abusing EldoS RawDisk for erasing the MBR and damaging disk partitions, which 'bricks' the hardware. The attack also uses LOLbin or living-off-the-land techniques, which are popular among the more well professional threat actors, and can impact up to thousands of devices. The scope of ZeroCleare's campaign makes it disruptive to, for example, oil or electrical company operations incredibly, although malware experts are unable to name specific businesses or regions affected.
Clearing Up a Disk Wiper before It Wipes Your Company Out
Malware researchers stress that ZeroCleare's infection strategies aren't collecting victims randomly, which sometimes is the case with brute-forcing attempts. Infections are highly-targeted and show capacity for adapting to very-specific environments, including a driver security workaround for 64-bit Windows machines. Sectors at risk currently include most sub-segments of the energy industry, such as gas and oil.
Network administrators should retain the usual precautions concerning selecting passwords that criminals can't brute-force their way into 'guessing.' Limiting administrative account privileges and having secure backups also are effective defenses for restricting the problems that ZeroCleare might cause. Unless unanticipated bugs or the intervention of security products interfere with ZeroCleare's payload, the hardware damage is permanent.
Since this Trojan is a highly-sophisticated threat, users always should have appropriate anti-malware services or professional researchers handle uninstalling ZeroCleare or, preferably, detecting and blocking its installations.
With seven years between ZeroCleare and the last, Iran-based attacks with similarly-destructive impact, this Trojan marks a new rise in hostilities on a digital battlefield. The ultimate winner remains in question, although no organization should bet too much on a prospective recovery from an already-inflicted attack.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.