SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zerocleare (Back to overview)

ZeroCleare

Actor(s): OilRig

VTCollection    

ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk's partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.

References
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-09-08MicrosoftMicrosoft Security Threat Intelligence
Microsoft investigates Iranian attacks against the Albanian government
ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-04-28FortinetGergely Revay
An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2019-12-09IBM SecurityIBM IRIS
New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
ZeroCleare
Yara Rules
[TLP:WHITE] win_zerocleare_auto (20260504 | Detects win.zerocleare.)
rule win_zerocleare_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.zerocleare."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83e03f c1f906 6bc038 8b0c8d40fd4400 }
            // n = 4, score = 100
            //   83e03f               | and                 eax, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bc038               | imul                eax, eax, 0x38
            //   8b0c8d40fd4400       | mov                 ecx, dword ptr [ecx*4 + 0x44fd40]

        $sequence_1 = { 83bdd4f7ffff08 6a00 0f4385c0f7ffff 51 50 ffd7 }
            // n = 6, score = 100
            //   83bdd4f7ffff08       | cmp                 dword ptr [ebp - 0x82c], 8
            //   6a00                 | push                0
            //   0f4385c0f7ffff       | cmovae              eax, dword ptr [ebp - 0x840]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ffd7                 | call                edi

        $sequence_2 = { 894304 8b45ec 03c1 894308 }
            // n = 4, score = 100
            //   894304               | mov                 dword ptr [ebx + 4], eax
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   03c1                 | add                 eax, ecx
            //   894308               | mov                 dword ptr [ebx + 8], eax

        $sequence_3 = { 8d04c1 894304 8b45ec 03c1 894308 8b03 }
            // n = 6, score = 100
            //   8d04c1               | lea                 eax, [ecx + eax*8]
            //   894304               | mov                 dword ptr [ebx + 4], eax
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   03c1                 | add                 eax, ecx
            //   894308               | mov                 dword ptr [ebx + 8], eax
            //   8b03                 | mov                 eax, dword ptr [ebx]

        $sequence_4 = { 8d04c1 894304 8b45ec 03c1 894308 }
            // n = 5, score = 100
            //   8d04c1               | lea                 eax, [ecx + eax*8]
            //   894304               | mov                 dword ptr [ebx + 4], eax
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   03c1                 | add                 eax, ecx
            //   894308               | mov                 dword ptr [ebx + 8], eax

        $sequence_5 = { 59 6a05 c74048b0d24400 8b4508 6689486c }
            // n = 5, score = 100
            //   59                   | pop                 ecx
            //   6a05                 | push                5
            //   c74048b0d24400       | mov                 dword ptr [eax + 0x48], 0x44d2b0
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   6689486c             | mov                 word ptr [eax + 0x6c], cx

        $sequence_6 = { 8b07 8b5610 83c03d c745e801000000 }
            // n = 4, score = 100
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8b5610               | mov                 edx, dword ptr [esi + 0x10]
            //   83c03d               | add                 eax, 0x3d
            //   c745e801000000       | mov                 dword ptr [ebp - 0x18], 1

        $sequence_7 = { 85c0 751f ff15???????? 50 8d4c2408 e8???????? 68???????? }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   751f                 | jne                 0x21
            //   ff15????????         |                     
            //   50                   | push                eax
            //   8d4c2408             | lea                 ecx, [esp + 8]
            //   e8????????           |                     
            //   68????????           |                     

        $sequence_8 = { 85c0 0f84d5460000 c3 833d????????ff 7503 33c0 }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   0f84d5460000         | je                  0x46db
            //   c3                   | ret                 
            //   833d????????ff       |                     
            //   7503                 | jne                 5
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { 0f94c1 fec9 8b148540fd4400 80e102 8a44172d 24fd 0ac8 }
            // n = 7, score = 100
            //   0f94c1               | sete                cl
            //   fec9                 | dec                 cl
            //   8b148540fd4400       | mov                 edx, dword ptr [eax*4 + 0x44fd40]
            //   80e102               | and                 cl, 2
            //   8a44172d             | mov                 al, byte ptr [edi + edx + 0x2d]
            //   24fd                 | and                 al, 0xfd
            //   0ac8                 | or                  cl, al

    condition:
        7 of them and filesize < 42670080
}
Download all Yara Rules