SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zerocleare (Back to overview)

ZeroCleare

Actor(s): OilRig


ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk's partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.

References
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-09-08MicrosoftMicrosoft Security Threat Intelligence
@online{intelligence:20220908:microsoft:66fa6e4, author = {Microsoft Security Threat Intelligence}, title = {{Microsoft investigates Iranian attacks against the Albanian government}}, date = {2022-09-08}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government}, language = {English}, urldate = {2022-09-13} } Microsoft investigates Iranian attacks against the Albanian government
ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2022-08-15} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2019-12-09IBM SecurityIBM IRIS
@online{iris:20191209:new:cc73a24, author = {IBM IRIS}, title = {{New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East}}, date = {2019-12-09}, organization = {IBM Security}, url = {https://www.ibm.com/downloads/cas/OAJ4VZNJ}, language = {English}, urldate = {2020-01-09} } New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
ZeroCleare
Yara Rules
[TLP:WHITE] win_zerocleare_auto (20221125 | Detects win.zerocleare.)
rule win_zerocleare_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.zerocleare."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7443 8b4b04 3bc1 7410 90 83780400 7563 }
            // n = 7, score = 100
            //   7443                 | je                  0x45
            //   8b4b04               | mov                 ecx, dword ptr [ebx + 4]
            //   3bc1                 | cmp                 eax, ecx
            //   7410                 | je                  0x12
            //   90                   | nop                 
            //   83780400             | cmp                 dword ptr [eax + 4], 0
            //   7563                 | jne                 0x65

        $sequence_1 = { 83c40c 6b45e430 8945e0 8d80f0d64400 8945e4 803800 }
            // n = 6, score = 100
            //   83c40c               | add                 esp, 0xc
            //   6b45e430             | imul                eax, dword ptr [ebp - 0x1c], 0x30
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8d80f0d64400         | lea                 eax, [eax + 0x44d6f0]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   803800               | cmp                 byte ptr [eax], 0

        $sequence_2 = { 8b048540fd4400 807c012800 7d5d 8d45d8 50 }
            // n = 5, score = 100
            //   8b048540fd4400       | mov                 eax, dword ptr [eax*4 + 0x44fd40]
            //   807c012800           | cmp                 byte ptr [ecx + eax + 0x28], 0
            //   7d5d                 | jge                 0x5f
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax

        $sequence_3 = { 8b45b0 03d3 03d1 8b0c8540fd4400 8a0433 43 }
            // n = 6, score = 100
            //   8b45b0               | mov                 eax, dword ptr [ebp - 0x50]
            //   03d3                 | add                 edx, ebx
            //   03d1                 | add                 edx, ecx
            //   8b0c8540fd4400       | mov                 ecx, dword ptr [eax*4 + 0x44fd40]
            //   8a0433               | mov                 al, byte ptr [ebx + esi]
            //   43                   | inc                 ebx

        $sequence_4 = { 8b49fc 83c223 2bc1 83c0fc 83f81f 0f87df020000 eb48 }
            // n = 7, score = 100
            //   8b49fc               | mov                 ecx, dword ptr [ecx - 4]
            //   83c223               | add                 edx, 0x23
            //   2bc1                 | sub                 eax, ecx
            //   83c0fc               | add                 eax, -4
            //   83f81f               | cmp                 eax, 0x1f
            //   0f87df020000         | ja                  0x2e5
            //   eb48                 | jmp                 0x4a

        $sequence_5 = { 0f8225ffffff eb1b 8b0c8d40fd4400 8a443928 a840 7508 0c02 }
            // n = 7, score = 100
            //   0f8225ffffff         | jb                  0xffffff2b
            //   eb1b                 | jmp                 0x1d
            //   8b0c8d40fd4400       | mov                 ecx, dword ptr [ecx*4 + 0x44fd40]
            //   8a443928             | mov                 al, byte ptr [ecx + edi + 0x28]
            //   a840                 | test                al, 0x40
            //   7508                 | jne                 0xa
            //   0c02                 | or                  al, 2

        $sequence_6 = { 8b4d08 c1fa02 8bc2 c1e81f 03c2 3bf8 }
            // n = 6, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   c1fa02               | sar                 edx, 2
            //   8bc2                 | mov                 eax, edx
            //   c1e81f               | shr                 eax, 0x1f
            //   03c2                 | add                 eax, edx
            //   3bf8                 | cmp                 edi, eax

        $sequence_7 = { c1e81f 03c2 85c0 0f8e97000000 8b35???????? 33c0 8985e4f7ffff }
            // n = 7, score = 100
            //   c1e81f               | shr                 eax, 0x1f
            //   03c2                 | add                 eax, edx
            //   85c0                 | test                eax, eax
            //   0f8e97000000         | jle                 0x9d
            //   8b35????????         |                     
            //   33c0                 | xor                 eax, eax
            //   8985e4f7ffff         | mov                 dword ptr [ebp - 0x81c], eax

        $sequence_8 = { f20f592c8570324400 f20f59148570324400 660f5834c5803a4400 660f54c5 f20f5ce8 f20f58fa }
            // n = 6, score = 100
            //   f20f592c8570324400     | mulsd    xmm5, qword ptr [eax*4 + 0x443270]
            //   f20f59148570324400     | mulsd    xmm2, qword ptr [eax*4 + 0x443270]
            //   660f5834c5803a4400     | addpd    xmm6, xmmword ptr [eax*8 + 0x443a80]
            //   660f54c5             | andpd               xmm0, xmm5
            //   f20f5ce8             | subsd               xmm5, xmm0
            //   f20f58fa             | addsd               xmm7, xmm2

        $sequence_9 = { 0d???????? eb0c 0d00000003 eb05 0d00000002 8bcf 237d08 }
            // n = 7, score = 100
            //   0d????????           |                     
            //   eb0c                 | jmp                 0xe
            //   0d00000003           | or                  eax, 0x3000000
            //   eb05                 | jmp                 7
            //   0d00000002           | or                  eax, 0x2000000
            //   8bcf                 | mov                 ecx, edi
            //   237d08               | and                 edi, dword ptr [ebp + 8]

    condition:
        7 of them and filesize < 42670080
}
Download all Yara Rules