ZeroCleare

ZeroCleare is a wiper malware that has been used in conjunction with the RawDisk driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the energy and industrial sectors in the Middle East and political targets in Albania.[1][2][3][4]

ID: S1151
Associated Software: ZEROCLEAR
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 August 2024
Last Modified: 04 September 2024

Associated Software Descriptions

Name Description
ZEROCLEAR

[3]

Techniques Used

Domain ID Name Use
Enterprise T1059 Command and Scripting Interpreter

ZeroCleare can receive command line arguments from an operator to corrupt the file system using the RawDisk driver.[3]

.001 PowerShell

ZeroCleare can use a malicious PowerShell script to bypass Windows controls.[4]

Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

ZeroCleare can corrupt the file system and wipe the system drive on targeted hosts.[3][2][4]

Enterprise T1068 Exploitation for Privilege Escalation

ZeroCleare has used a vulnerable signed VBoxDrv driver to bypass Microsoft Driver Signature Enforcement (DSE) protections and subsequently load the unsigned RawDisk driver.[4]

Enterprise T1070 .004 Indicator Removal: File Deletion

ZeroCleare has the ability to uninstall the RawDisk driver and delete the rwdsk file on disk.[3][2]

Enterprise T1106 Native API

ZeroCleare can call the GetSystemDirectoryW API to locate the system directory.[3]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

ZeroCleare can deploy a vulnerable, signed driver on a compromised host to bypass operating system safeguards.[4]

Enterprise T1082 System Information Discovery

ZeroCleare can use the IOCTL_DISK_GET_DRIVE_GEOMETRY_EX, IOCTL_DISK_GET_DRIVE_GEOMETRY, and IOCTL_DISK_GET_LENGTH_INFO system calls to compute disk size.[3]

Groups That Use This Software

ID Name References
G0049 OilRig

OilRig collaborated on the destructive portion of the ZeroCleare attack.[4]

G1001 HEXANE

HEXANE probed victim infrastructure in support of HomeLand Justice.[1]

Campaigns

ID Name Description
C0038 HomeLand Justice

[2][1]

References