SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zerocleare (Back to overview)

ZeroCleare

Actor(s): OilRig


ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk's partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.

References
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2019-12-09IBM SecurityIBM IRIS
@online{iris:20191209:new:cc73a24, author = {IBM IRIS}, title = {{New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East}}, date = {2019-12-09}, organization = {IBM Security}, url = {https://www.ibm.com/downloads/cas/OAJ4VZNJ}, language = {English}, urldate = {2020-01-09} } New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
ZeroCleare
Yara Rules
[TLP:WHITE] win_zerocleare_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_zerocleare_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 2b0b f7ea c1fa02 8bc2 c1e81f }
            // n = 5, score = 100
            //   2b0b                 | sub                 ecx, dword ptr [ebx]
            //   f7ea                 | imul                edx
            //   c1fa02               | sar                 edx, 2
            //   8bc2                 | mov                 eax, edx
            //   c1e81f               | shr                 eax, 0x1f

        $sequence_1 = { 0f8483000000 eb7d 8b1c9d6cc74300 6800080000 6a00 53 }
            // n = 6, score = 100
            //   0f8483000000         | je                  0x89
            //   eb7d                 | jmp                 0x7f
            //   8b1c9d6cc74300       | mov                 ebx, dword ptr [ebx*4 + 0x43c76c]
            //   6800080000           | push                0x800
            //   6a00                 | push                0
            //   53                   | push                ebx

        $sequence_2 = { 8d4101 3bf0 0f46f0 8d0449 8d0c85b0038501 8935???????? 8b4104 }
            // n = 7, score = 100
            //   8d4101               | lea                 eax, [ecx + 1]
            //   3bf0                 | cmp                 esi, eax
            //   0f46f0               | cmovbe              esi, eax
            //   8d0449               | lea                 eax, [ecx + ecx*2]
            //   8d0c85b0038501       | lea                 ecx, [eax*4 + 0x18503b0]
            //   8935????????         |                     
            //   8b4104               | mov                 eax, dword ptr [ecx + 4]

        $sequence_3 = { 833d????????00 0f85ecb40000 8d0d20dc4300 ba1d000000 }
            // n = 4, score = 100
            //   833d????????00       |                     
            //   0f85ecb40000         | jne                 0xb4f2
            //   8d0d20dc4300         | lea                 ecx, [0x43dc20]
            //   ba1d000000           | mov                 edx, 0x1d

        $sequence_4 = { e9???????? 8b048d40fd4400 807c022800 7d39 8b7508 ff75fc ff36 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b048d40fd4400       | mov                 eax, dword ptr [ecx*4 + 0x44fd40]
            //   807c022800           | cmp                 byte ptr [edx + eax + 0x28], 0
            //   7d39                 | jge                 0x3b
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff36                 | push                dword ptr [esi]

        $sequence_5 = { c745b000000000 85c0 7409 50 e8???????? }
            // n = 5, score = 100
            //   c745b000000000       | mov                 dword ptr [ebp - 0x50], 0
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_6 = { c745e4ad184200 eb08 8d4dd8 e8???????? 837e1808 74f2 8bce }
            // n = 7, score = 100
            //   c745e4ad184200       | mov                 dword ptr [ebp - 0x1c], 0x4218ad
            //   eb08                 | jmp                 0xa
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   837e1808             | cmp                 dword ptr [esi + 0x18], 8
            //   74f2                 | je                  0xfffffff4
            //   8bce                 | mov                 ecx, esi

        $sequence_7 = { 8d4d8c 8b75e8 f30f7e45d0 660fd6459c }
            // n = 4, score = 100
            //   8d4d8c               | lea                 ecx, [ebp - 0x74]
            //   8b75e8               | mov                 esi, dword ptr [ebp - 0x18]
            //   f30f7e45d0           | movq                xmm0, qword ptr [ebp - 0x30]
            //   660fd6459c           | movq                qword ptr [ebp - 0x64], xmm0

        $sequence_8 = { 8b04cdd40a4400 5f 5e 5b 8be5 5d c3 }
            // n = 7, score = 100
            //   8b04cdd40a4400       | mov                 eax, dword ptr [ecx*8 + 0x440ad4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_9 = { 8d5704 56 52 e8???????? 83c40c }
            // n = 5, score = 100
            //   8d5704               | lea                 edx, [edi + 4]
            //   56                   | push                esi
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

    condition:
        7 of them and filesize < 42670080
}
Download all Yara Rules