Iran: Iranian state-sponsored hackers are believed to be operating a destructive new piece of malware that has been named ZeroCleare. ZeroCleare is currently targeting the “industrial and energy sectors” throughout the Middle East. It is currently believed that the malware is being operated by APT34 and at least one other Iranian group that has yet to be identified. ZeroCleare has a number of similarities to Iran’s Shamoon malware and is used to overwrite the Master Boot Record (MBR) and disk partitions on Windows-based systems. Like Shamoon ZeroCleare abuses EldoS RawDisk to target files and disks on targeted systems. ZeroCleare has different workflows depending on the system it is deployed on, using different methods depending on whether it is on a 32-bit or a 64-bit system.
Analyst Notes
None of the targeted organizations have been publicly identified yet, although it is likely that targeted organizations would have ties to either the United States or to U.S. allies in the region. Targeting energy and industrial sectors allows Iran the opportunity to disrupt nations that they see as enemy states. Cyber-attacks also allow Iran to attack enemy states in a way that is deniable, causing confusion about attribution. More information on how ZeroCleare operates can be found at https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/
