SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zerocleare (Back to overview)

ZeroCleare

Actor(s): OilRig


ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk's partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.

References
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2019-12-09IBM SecurityIBM IRIS
@online{iris:20191209:new:cc73a24, author = {IBM IRIS}, title = {{New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East}}, date = {2019-12-09}, organization = {IBM Security}, url = {https://www.ibm.com/downloads/cas/OAJ4VZNJ}, language = {English}, urldate = {2020-01-09} } New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
ZeroCleare
Yara Rules
[TLP:WHITE] win_zerocleare_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_zerocleare_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { a1???????? 33c4 89442444 53 8b1d???????? }
            // n = 5, score = 100
            //   a1????????           |                     
            //   33c4                 | xor                 eax, esp
            //   89442444             | mov                 dword ptr [esp + 0x44], eax
            //   53                   | push                ebx
            //   8b1d????????         |                     

        $sequence_1 = { 8975ec c745f0ad184200 eb11 833d????????01 }
            // n = 4, score = 100
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   c745f0ad184200       | mov                 dword ptr [ebp - 0x10], 0x4218ad
            //   eb11                 | jmp                 0x13
            //   833d????????01       |                     

        $sequence_2 = { c645fc01 0f57c0 8d8d1cf7ffff 50 0f118580f7ffff e8???????? 83c404 }
            // n = 7, score = 100
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   0f57c0               | xorps               xmm0, xmm0
            //   8d8d1cf7ffff         | lea                 ecx, [ebp - 0x8e4]
            //   50                   | push                eax
            //   0f118580f7ffff       | movups              xmmword ptr [ebp - 0x880], xmm0
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_3 = { 2bc7 c1f803 3bf0 7c83 }
            // n = 4, score = 100
            //   2bc7                 | sub                 eax, edi
            //   c1f803               | sar                 eax, 3
            //   3bf0                 | cmp                 esi, eax
            //   7c83                 | jl                  0xffffff85

        $sequence_4 = { 837e0800 0f84ae000000 6a06 33c0 c745e000000000 68???????? 8d4dd0 }
            // n = 7, score = 100
            //   837e0800             | cmp                 dword ptr [esi + 8], 0
            //   0f84ae000000         | je                  0xb4
            //   6a06                 | push                6
            //   33c0                 | xor                 eax, eax
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0
            //   68????????           |                     
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]

        $sequence_5 = { 8bc2 c1e81f 03c2 398510f8ffff 8b85e4f7ffff 0f8c78ffffff 68e8030000 }
            // n = 7, score = 100
            //   8bc2                 | mov                 eax, edx
            //   c1e81f               | shr                 eax, 0x1f
            //   03c2                 | add                 eax, edx
            //   398510f8ffff         | cmp                 dword ptr [ebp - 0x7f0], eax
            //   8b85e4f7ffff         | mov                 eax, dword ptr [ebp - 0x81c]
            //   0f8c78ffffff         | jl                  0xffffff7e
            //   68e8030000           | push                0x3e8

        $sequence_6 = { 8d4361 8845f3 394e08 7407 8801 ff4604 eb0c }
            // n = 7, score = 100
            //   8d4361               | lea                 eax, [ebx + 0x61]
            //   8845f3               | mov                 byte ptr [ebp - 0xd], al
            //   394e08               | cmp                 dword ptr [esi + 8], ecx
            //   7407                 | je                  9
            //   8801                 | mov                 byte ptr [ecx], al
            //   ff4604               | inc                 dword ptr [esi + 4]
            //   eb0c                 | jmp                 0xe

        $sequence_7 = { 8906 5f 895604 b801000000 5e 83c408 c20800 }
            // n = 7, score = 100
            //   8906                 | mov                 dword ptr [esi], eax
            //   5f                   | pop                 edi
            //   895604               | mov                 dword ptr [esi + 4], edx
            //   b801000000           | mov                 eax, 1
            //   5e                   | pop                 esi
            //   83c408               | add                 esp, 8
            //   c20800               | ret                 8

        $sequence_8 = { c745c000000000 85c0 7409 50 e8???????? 83c404 }
            // n = 6, score = 100
            //   c745c000000000       | mov                 dword ptr [ebp - 0x40], 0
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_9 = { c785dcf7ffff00000000 8985e0f7ffff eb19 8d85dcf7ffff 50 }
            // n = 5, score = 100
            //   c785dcf7ffff00000000     | mov    dword ptr [ebp - 0x824], 0
            //   8985e0f7ffff         | mov                 dword ptr [ebp - 0x820], eax
            //   eb19                 | jmp                 0x1b
            //   8d85dcf7ffff         | lea                 eax, [ebp - 0x824]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 42670080
}
Download all Yara Rules