SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zerocleare (Back to overview)

ZeroCleare

Actor(s): OilRig


ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk's partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2019-12-09IBM SecurityIBM IRIS
@online{iris:20191209:new:cc73a24, author = {IBM IRIS}, title = {{New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East}}, date = {2019-12-09}, organization = {IBM Security}, url = {https://www.ibm.com/downloads/cas/OAJ4VZNJ}, language = {English}, urldate = {2020-01-09} } New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
ZeroCleare
Yara Rules
[TLP:WHITE] win_zerocleare_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_zerocleare_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bec 83ec14 56 8b7508 ff34b5109f4300 }
            // n = 5, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83ec14               | sub                 esp, 0x14
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   ff34b5109f4300       | push                dword ptr [esi*4 + 0x439f10]

        $sequence_1 = { c705????????80700000 33c0 c705????????01000000 c705????????f0f1ffff c705????????a0d94400 c3 8bff }
            // n = 7, score = 100
            //   c705????????80700000     |     
            //   33c0                 | xor                 eax, eax
            //   c705????????01000000     |     
            //   c705????????f0f1ffff     |     
            //   c705????????a0d94400     |     
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi

        $sequence_2 = { 6a00 8d45e8 50 6a18 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   6a18                 | push                0x18

        $sequence_3 = { c74704???????? 8d85f0f7ffff c645fc02 0f57c0 c785fcf7ffff00000000 }
            // n = 5, score = 100
            //   c74704????????       |                     
            //   8d85f0f7ffff         | lea                 eax, [ebp - 0x810]
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   0f57c0               | xorps               xmm0, xmm0
            //   c785fcf7ffff00000000     | mov    dword ptr [ebp - 0x804], 0

        $sequence_4 = { 8b4c2408 8b542404 81ec04080000 50 51 52 e8???????? }
            // n = 7, score = 100
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   8b542404             | mov                 edx, dword ptr [esp + 4]
            //   81ec04080000         | sub                 esp, 0x804
            //   50                   | push                eax
            //   51                   | push                ecx
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_5 = { 8b8d00f8ffff 33f6 2bc1 85c0 0f8e90000000 660f1f840000000000 }
            // n = 6, score = 100
            //   8b8d00f8ffff         | mov                 ecx, dword ptr [ebp - 0x800]
            //   33f6                 | xor                 esi, esi
            //   2bc1                 | sub                 eax, ecx
            //   85c0                 | test                eax, eax
            //   0f8e90000000         | jle                 0x96
            //   660f1f840000000000     | nop    word ptr [eax + eax]

        $sequence_6 = { 59 83ffff 7407 8b34bd00654400 56 e8???????? 57 }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   83ffff               | cmp                 edi, -1
            //   7407                 | je                  9
            //   8b34bd00654400       | mov                 esi, dword ptr [edi*4 + 0x446500]
            //   56                   | push                esi
            //   e8????????           |                     
            //   57                   | push                edi

        $sequence_7 = { 57 898510f8ffff e8???????? 83c404 85c0 }
            // n = 5, score = 100
            //   57                   | push                edi
            //   898510f8ffff         | mov                 dword ptr [ebp - 0x7f0], eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax

        $sequence_8 = { 50 8b842410080000 51 8b8c2410080000 52 50 51 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8b842410080000       | mov                 eax, dword ptr [esp + 0x810]
            //   51                   | push                ecx
            //   8b8c2410080000       | mov                 ecx, dword ptr [esp + 0x810]
            //   52                   | push                edx
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_9 = { 79dd 8b4d08 8b45f8 83c118 8b7dfc 894d08 47 }
            // n = 7, score = 100
            //   79dd                 | jns                 0xffffffdf
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   83c118               | add                 ecx, 0x18
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   894d08               | mov                 dword ptr [ebp + 8], ecx
            //   47                   | inc                 edi

    condition:
        7 of them and filesize < 42670080
}
Download all Yara Rules