SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zerocleare (Back to overview)

ZeroCleare

Actor(s): OilRig


ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk's partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2019-12-09IBM SecurityIBM IRIS
@online{iris:20191209:new:cc73a24, author = {IBM IRIS}, title = {{New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East}}, date = {2019-12-09}, organization = {IBM Security}, url = {https://www.ibm.com/downloads/cas/OAJ4VZNJ}, language = {English}, urldate = {2020-01-09} } New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
ZeroCleare
Yara Rules
[TLP:WHITE] win_zerocleare_auto (20211008 | Detects win.zerocleare.)
rule win_zerocleare_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.zerocleare."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b048540fd4400 8b5df0 33ff 8955dc f644032848 8b5d08 0f84bf000000 }
            // n = 7, score = 100
            //   8b048540fd4400       | mov                 eax, dword ptr [eax*4 + 0x44fd40]
            //   8b5df0               | mov                 ebx, dword ptr [ebp - 0x10]
            //   33ff                 | xor                 edi, edi
            //   8955dc               | mov                 dword ptr [ebp - 0x24], edx
            //   f644032848           | test                byte ptr [ebx + eax + 0x28], 0x48
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   0f84bf000000         | je                  0xc5

        $sequence_1 = { eb11 c6060d 8b048d40fd4400 8854072a 8b45e4 }
            // n = 5, score = 100
            //   eb11                 | jmp                 0x13
            //   c6060d               | mov                 byte ptr [esi], 0xd
            //   8b048d40fd4400       | mov                 eax, dword ptr [ecx*4 + 0x44fd40]
            //   8854072a             | mov                 byte ptr [edi + eax + 0x2a], dl
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_2 = { 8b7de0 8b75dc 8b441838 8bd1 }
            // n = 4, score = 100
            //   8b7de0               | mov                 edi, dword ptr [ebp - 0x20]
            //   8b75dc               | mov                 esi, dword ptr [ebp - 0x24]
            //   8b441838             | mov                 eax, dword ptr [eax + ebx + 0x38]
            //   8bd1                 | mov                 edx, ecx

        $sequence_3 = { 6a38 b8???????? e8???????? 8bc1 8945e8 33c9 c745d8005d4400 }
            // n = 7, score = 100
            //   6a38                 | push                0x38
            //   b8????????           |                     
            //   e8????????           |                     
            //   8bc1                 | mov                 eax, ecx
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   33c9                 | xor                 ecx, ecx
            //   c745d8005d4400       | mov                 dword ptr [ebp - 0x28], 0x445d00

        $sequence_4 = { c1ff06 6bf638 8b04bd40fd4400 807c302800 7d3c e8???????? }
            // n = 6, score = 100
            //   c1ff06               | sar                 edi, 6
            //   6bf638               | imul                esi, esi, 0x38
            //   8b04bd40fd4400       | mov                 eax, dword ptr [edi*4 + 0x44fd40]
            //   807c302800           | cmp                 byte ptr [eax + esi + 0x28], 0
            //   7d3c                 | jge                 0x3e
            //   e8????????           |                     

        $sequence_5 = { 6bc838 8b049540fd4400 8b440818 83f8ff 7409 83f8fe 7404 }
            // n = 7, score = 100
            //   6bc838               | imul                ecx, eax, 0x38
            //   8b049540fd4400       | mov                 eax, dword ptr [edx*4 + 0x44fd40]
            //   8b440818             | mov                 eax, dword ptr [eax + ecx + 0x18]
            //   83f8ff               | cmp                 eax, -1
            //   7409                 | je                  0xb
            //   83f8fe               | cmp                 eax, -2
            //   7404                 | je                  6

        $sequence_6 = { 57 50 8d45f4 64a300000000 e8???????? b855555555 c78508f8ffff00000000 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, dword ptr [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   e8????????           |                     
            //   b855555555           | mov                 eax, 0x55555555
            //   c78508f8ffff00000000     | mov    dword ptr [ebp - 0x7f8], 0

        $sequence_7 = { 83c408 8b4dfc 8b45f8 890b 5f 5e 8d04c1 }
            // n = 7, score = 100
            //   83c408               | add                 esp, 8
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   890b                 | mov                 dword ptr [ebx], ecx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   8d04c1               | lea                 eax, dword ptr [ecx + eax*8]

        $sequence_8 = { 33d2 8b7710 b8???????? f7770c 83ee01 8bd8 7826 }
            // n = 7, score = 100
            //   33d2                 | xor                 edx, edx
            //   8b7710               | mov                 esi, dword ptr [edi + 0x10]
            //   b8????????           |                     
            //   f7770c               | div                 dword ptr [edi + 0xc]
            //   83ee01               | sub                 esi, 1
            //   8bd8                 | mov                 ebx, eax
            //   7826                 | js                  0x28

        $sequence_9 = { 56 50 e8???????? 8b7594 }
            // n = 4, score = 100
            //   56                   | push                esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b7594               | mov                 esi, dword ptr [ebp - 0x6c]

    condition:
        7 of them and filesize < 42670080
}
Download all Yara Rules