New Shamoon-style disk wiper hits Middle East oil producers

Security researchers have spotted a new destructive malware that attempts to wipe hard disks on computer systems at Middle Eastern energy companies, and believe it is the work of Iranian state-sponsored hacking groups.

IBM's X-Force researchers say [pdf] the malware, named ZeroCleare after a program database pathname found in it, has been used in a destructive attack against energy and industrial companies in the Middle East.

ZeroCleare comes in 32 and 64 bit variants for Windows, and like the earlier Shamoon malware, tries to overwrite the master boot record and damage hard disk partitions.

Similarly to Shamoon, ZeroCleare bundles the legitimate EldoS RawDisk tool for its destructive activities, X-Force said.

The malware spreads among networked devices using PowerShell scripts and batch files, and features an intentionally vulnerable signed VBoxDrv (VirtualBox) driver.

Using a driver signed by Microsoft to bypass the Windows hardware abstraction layer (HAL) and duck operating system safeguards, the attackers exploit the intentionally vulnerable file to run shellcode at kernel level; this in turn loads the unsigned EldoS driver which would have otherwise been rejected by Windows Driver Signature Enforcement.

The step to bypass the DSE is done with an intermediary executable that X-Force says is a modified version of the Turla Driver Loader malware.

X-Force said the destructive attacks could affect thousands of devices and cause disruption that'd take months to fully recover from.

Due to its similarities with Shamoon, X-Force suggests it is linked to the Advanced Persistent Threat (APT) 34 "OilRig" hackers, and at least another group.

The hackers are likely based in Iran, using infrastructure associated with prior APT34 attacks.