SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zerocleare (Back to overview)

ZeroCleare

Actor(s): OilRig

VTCollection    

ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk's partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.

References
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-09-08MicrosoftMicrosoft Security Threat Intelligence
Microsoft investigates Iranian attacks against the Albanian government
ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-04-28FortinetGergely Revay
An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2019-12-09IBM SecurityIBM IRIS
New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
ZeroCleare
Yara Rules
[TLP:WHITE] win_zerocleare_auto (20230808 | Detects win.zerocleare.)
rule win_zerocleare_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.zerocleare."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { db2d???????? b801000000 833d????????00 0f854f6efeff ba05000000 8d0df0694400 e8???????? }
            // n = 7, score = 100
            //   db2d????????         |                     
            //   b801000000           | mov                 eax, 1
            //   833d????????00       |                     
            //   0f854f6efeff         | jne                 0xfffe6e55
            //   ba05000000           | mov                 edx, 5
            //   8d0df0694400         | lea                 ecx, [0x4469f0]
            //   e8????????           |                     

        $sequence_1 = { 0f1185d8f7ffff f30f7e4010 660fd685e8f7ffff c7401000000000 c7401407000000 668908 c645fc04 }
            // n = 7, score = 100
            //   0f1185d8f7ffff       | movups              xmmword ptr [ebp - 0x828], xmm0
            //   f30f7e4010           | movq                xmm0, qword ptr [eax + 0x10]
            //   660fd685e8f7ffff     | movq                qword ptr [ebp - 0x818], xmm0
            //   c7401000000000       | mov                 dword ptr [eax + 0x10], 0
            //   c7401407000000       | mov                 dword ptr [eax + 0x14], 7
            //   668908               | mov                 word ptr [eax], cx
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4

        $sequence_2 = { 6a00 8d45e8 50 6a18 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   6a18                 | push                0x18

        $sequence_3 = { ffd6 6af4 898578f7ffff ffd6 }
            // n = 4, score = 100
            //   ffd6                 | call                esi
            //   6af4                 | push                -0xc
            //   898578f7ffff         | mov                 dword ptr [ebp - 0x888], eax
            //   ffd6                 | call                esi

        $sequence_4 = { 0f114598 0f1145a8 ff15???????? 8bf8 }
            // n = 4, score = 100
            //   0f114598             | movups              xmmword ptr [ebp - 0x68], xmm0
            //   0f1145a8             | movups              xmmword ptr [ebp - 0x58], xmm0
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_5 = { 895614 7410 c74620df494300 c74624f24a4300 eb0e c7462087414300 }
            // n = 6, score = 100
            //   895614               | mov                 dword ptr [esi + 0x14], edx
            //   7410                 | je                  0x12
            //   c74620df494300       | mov                 dword ptr [esi + 0x20], 0x4349df
            //   c74624f24a4300       | mov                 dword ptr [esi + 0x24], 0x434af2
            //   eb0e                 | jmp                 0x10
            //   c7462087414300       | mov                 dword ptr [esi + 0x20], 0x434187

        $sequence_6 = { c745e4ad184200 eb08 8d4dd8 e8???????? 837e1808 74f2 8bce }
            // n = 7, score = 100
            //   c745e4ad184200       | mov                 dword ptr [ebp - 0x1c], 0x4218ad
            //   eb08                 | jmp                 0xa
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   837e1808             | cmp                 dword ptr [esi + 0x18], 8
            //   74f2                 | je                  0xfffffff4
            //   8bce                 | mov                 ecx, esi

        $sequence_7 = { 660f58ca 660f2815???????? f20f59db 660f282d???????? 660f59f5 660f28aa70534400 660f54e5 }
            // n = 7, score = 100
            //   660f58ca             | addpd               xmm1, xmm2
            //   660f2815????????     |                     
            //   f20f59db             | mulsd               xmm3, xmm3
            //   660f282d????????     |                     
            //   660f59f5             | mulpd               xmm6, xmm5
            //   660f28aa70534400     | movapd              xmm5, xmmword ptr [edx + 0x445370]
            //   660f54e5             | andpd               xmm4, xmm5

        $sequence_8 = { 8b04cdd40a4400 5f 5e 5b 8be5 5d c3 }
            // n = 7, score = 100
            //   8b04cdd40a4400       | mov                 eax, dword ptr [ecx*8 + 0x440ad4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_9 = { 33c0 8985e4f7ffff 90 8b4c3814 8d1438 8d4101 }
            // n = 6, score = 100
            //   33c0                 | xor                 eax, eax
            //   8985e4f7ffff         | mov                 dword ptr [ebp - 0x81c], eax
            //   90                   | nop                 
            //   8b4c3814             | mov                 ecx, dword ptr [eax + edi + 0x14]
            //   8d1438               | lea                 edx, [eax + edi]
            //   8d4101               | lea                 eax, [ecx + 1]

    condition:
        7 of them and filesize < 42670080
}
Download all Yara Rules