Iranian hacker deploys new ZeroCleare data removal malware

Recently, IBM’s security researchers discovered a new type of destructive data removal malware ZeroCleare. Data removal malware is often used to remove evidence to cover up intrusions or to influence victims.

It is reported that the malware was jointly developed by the Iranian government-funded hacker group xHunt and APT34 and deployed in a cyberattack targeting energy companies active in the Middle East. There are two versions of the software, one for 32-bit systems and the other for 64-bit systems, but only the second version is actually valid.

Attacks are usually divided into multiple steps, and the hacker first launches a brute force attack to access the target company’s network account. After gaining access, hackers will use SharePoint vulnerabilities to install specific Web Shells and infect as many devices as possible on the network. Finally, hackers implant ZeroCleare in the device. Once ZeroCleare has been elevated, the malware loads EldoS RawDisk to erase MBR and damage disk partitions on network devices.

IBM claims that the target of ZeroCleare attack is not random, but will target very specific organizations. This time it targets energy companies in the Middle East. Currently, the company has not disclosed specific victim information.