SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zerocleare (Back to overview)

ZeroCleare

Actor(s): OilRig


ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk's partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.

References
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-09-08MicrosoftMicrosoft Security Threat Intelligence
@online{intelligence:20220908:microsoft:66fa6e4, author = {Microsoft Security Threat Intelligence}, title = {{Microsoft investigates Iranian attacks against the Albanian government}}, date = {2022-09-08}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government}, language = {English}, urldate = {2022-09-13} } Microsoft investigates Iranian attacks against the Albanian government
ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2023-01-19} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2019-12-09IBM SecurityIBM IRIS
@online{iris:20191209:new:cc73a24, author = {IBM IRIS}, title = {{New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East}}, date = {2019-12-09}, organization = {IBM Security}, url = {https://www.ibm.com/downloads/cas/OAJ4VZNJ}, language = {English}, urldate = {2020-01-09} } New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
ZeroCleare
Yara Rules
[TLP:WHITE] win_zerocleare_auto (20230715 | Detects win.zerocleare.)
rule win_zerocleare_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.zerocleare."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4c2428 8b54242c 890424 8b442430 6a00 }
            // n = 5, score = 100
            //   8b4c2428             | mov                 ecx, dword ptr [esp + 0x28]
            //   8b54242c             | mov                 edx, dword ptr [esp + 0x2c]
            //   890424               | mov                 dword ptr [esp], eax
            //   8b442430             | mov                 eax, dword ptr [esp + 0x30]
            //   6a00                 | push                0

        $sequence_1 = { c705????????80700000 33c0 c705????????01000000 c705????????f0f1ffff c705????????a0d94400 c3 8bff }
            // n = 7, score = 100
            //   c705????????80700000     |     
            //   33c0                 | xor                 eax, eax
            //   c705????????01000000     |     
            //   c705????????f0f1ffff     |     
            //   c705????????a0d94400     |     
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi

        $sequence_2 = { a3???????? a3???????? 8d4de8 e8???????? 8b3d???????? 3b7b0c 730c }
            // n = 7, score = 100
            //   a3????????           |                     
            //   a3????????           |                     
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   e8????????           |                     
            //   8b3d????????         |                     
            //   3b7b0c               | cmp                 edi, dword ptr [ebx + 0xc]
            //   730c                 | jae                 0xe

        $sequence_3 = { 740a 6bfa38 033c8d40fd4400 f6472d01 }
            // n = 4, score = 100
            //   740a                 | je                  0xc
            //   6bfa38               | imul                edi, edx, 0x38
            //   033c8d40fd4400       | add                 edi, dword ptr [ecx*4 + 0x44fd40]
            //   f6472d01             | test                byte ptr [edi + 0x2d], 1

        $sequence_4 = { 8d04fd00000000 894dfc 8b7df4 8d1401 8945e8 }
            // n = 5, score = 100
            //   8d04fd00000000       | lea                 eax, [edi*8]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   8d1401               | lea                 edx, [ecx + eax]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

        $sequence_5 = { 8b45f8 eb0a 8d040a 3b45f8 0f4245f8 8d0cc500000000 894dec }
            // n = 7, score = 100
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   eb0a                 | jmp                 0xc
            //   8d040a               | lea                 eax, [edx + ecx]
            //   3b45f8               | cmp                 eax, dword ptr [ebp - 8]
            //   0f4245f8             | cmovb               eax, dword ptr [ebp - 8]
            //   8d0cc500000000       | lea                 ecx, [eax*8]
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx

        $sequence_6 = { 6a00 1bc0 6a18 8954241c }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   1bc0                 | sbb                 eax, eax
            //   6a18                 | push                0x18
            //   8954241c             | mov                 dword ptr [esp + 0x1c], edx

        $sequence_7 = { 56 8bcf c705????????bca04300 e8???????? 68???????? }
            // n = 5, score = 100
            //   56                   | push                esi
            //   8bcf                 | mov                 ecx, edi
            //   c705????????bca04300     |     
            //   e8????????           |                     
            //   68????????           |                     

        $sequence_8 = { 833d????????00 0f852ce4ffff 8d0dc0524400 ba1b000000 e9???????? a900000080 }
            // n = 6, score = 100
            //   833d????????00       |                     
            //   0f852ce4ffff         | jne                 0xffffe432
            //   8d0dc0524400         | lea                 ecx, [0x4452c0]
            //   ba1b000000           | mov                 edx, 0x1b
            //   e9????????           |                     
            //   a900000080           | test                eax, 0x80000000

        $sequence_9 = { 8b06 8d4908 8941f8 8b4604 8941fc c70600000000 c7460400000000 }
            // n = 7, score = 100
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8d4908               | lea                 ecx, [ecx + 8]
            //   8941f8               | mov                 dword ptr [ecx - 8], eax
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   8941fc               | mov                 dword ptr [ecx - 4], eax
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0

    condition:
        7 of them and filesize < 42670080
}
Download all Yara Rules