SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zerocleare (Back to overview)

ZeroCleare

Actor(s): OilRig


ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk's partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.

References
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2019-12-09IBM SecurityIBM IRIS
@online{iris:20191209:new:cc73a24, author = {IBM IRIS}, title = {{New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East}}, date = {2019-12-09}, organization = {IBM Security}, url = {https://www.ibm.com/downloads/cas/OAJ4VZNJ}, language = {English}, urldate = {2020-01-09} } New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
ZeroCleare
Yara Rules
[TLP:WHITE] win_zerocleare_auto (20220516 | Detects win.zerocleare.)
rule win_zerocleare_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.zerocleare."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 6bf038 c1f906 57 895594 894db0 8b048d40fd4400 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   6bf038               | imul                esi, eax, 0x38
            //   c1f906               | sar                 ecx, 6
            //   57                   | push                edi
            //   895594               | mov                 dword ptr [ebp - 0x6c], edx
            //   894db0               | mov                 dword ptr [ebp - 0x50], ecx
            //   8b048d40fd4400       | mov                 eax, dword ptr [ecx*4 + 0x44fd40]

        $sequence_1 = { 8b55b0 8b4db4 8a5de3 8b049540fd4400 885c012e 8b049540fd4400 804c012d04 }
            // n = 7, score = 100
            //   8b55b0               | mov                 edx, dword ptr [ebp - 0x50]
            //   8b4db4               | mov                 ecx, dword ptr [ebp - 0x4c]
            //   8a5de3               | mov                 bl, byte ptr [ebp - 0x1d]
            //   8b049540fd4400       | mov                 eax, dword ptr [edx*4 + 0x44fd40]
            //   885c012e             | mov                 byte ptr [ecx + eax + 0x2e], bl
            //   8b049540fd4400       | mov                 eax, dword ptr [edx*4 + 0x44fd40]
            //   804c012d04           | or                  byte ptr [ecx + eax + 0x2d], 4

        $sequence_2 = { 8d4908 8941f8 8b4604 8941fc }
            // n = 4, score = 100
            //   8d4908               | lea                 ecx, [ecx + 8]
            //   8941f8               | mov                 dword ptr [ecx - 8], eax
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   8941fc               | mov                 dword ptr [ecx - 4], eax

        $sequence_3 = { 660f59f5 660f28aa70534400 660f54e5 660f58fe 660f58fc }
            // n = 5, score = 100
            //   660f59f5             | mulpd               xmm6, xmm5
            //   660f28aa70534400     | movapd              xmm5, xmmword ptr [edx + 0x445370]
            //   660f54e5             | andpd               xmm4, xmm5
            //   660f58fe             | addpd               xmm7, xmm6
            //   660f58fc             | addpd               xmm7, xmm4

        $sequence_4 = { 83ec0c 53 8bd9 b8abaaaa2a }
            // n = 4, score = 100
            //   83ec0c               | sub                 esp, 0xc
            //   53                   | push                ebx
            //   8bd9                 | mov                 ebx, ecx
            //   b8abaaaa2a           | mov                 eax, 0x2aaaaaab

        $sequence_5 = { c745b000000000 85c0 7409 50 e8???????? }
            // n = 5, score = 100
            //   c745b000000000       | mov                 dword ptr [ebp - 0x50], 0
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_6 = { 2bc1 83c0fc 83f81f 0f871e010000 52 51 }
            // n = 6, score = 100
            //   2bc1                 | sub                 eax, ecx
            //   83c0fc               | add                 eax, -4
            //   83f81f               | cmp                 eax, 0x1f
            //   0f871e010000         | ja                  0x124
            //   52                   | push                edx
            //   51                   | push                ecx

        $sequence_7 = { 03d3 03d1 8b0c8540fd4400 8a0433 43 }
            // n = 5, score = 100
            //   03d3                 | add                 edx, ebx
            //   03d1                 | add                 edx, ecx
            //   8b0c8540fd4400       | mov                 ecx, dword ptr [eax*4 + 0x44fd40]
            //   8a0433               | mov                 al, byte ptr [ebx + esi]
            //   43                   | inc                 ebx

        $sequence_8 = { 8d4c2418 51 6a08 8d542414 52 6a00 }
            // n = 6, score = 100
            //   8d4c2418             | lea                 ecx, [esp + 0x18]
            //   51                   | push                ecx
            //   6a08                 | push                8
            //   8d542414             | lea                 edx, [esp + 0x14]
            //   52                   | push                edx
            //   6a00                 | push                0

        $sequence_9 = { 8b06 8d4908 8941f8 8b4604 8941fc c70600000000 c7460400000000 }
            // n = 7, score = 100
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8d4908               | lea                 ecx, [ecx + 8]
            //   8941f8               | mov                 dword ptr [ecx - 8], eax
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   8941fc               | mov                 dword ptr [ecx - 4], eax
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0

    condition:
        7 of them and filesize < 42670080
}
Download all Yara Rules