1. Home
  2. Software
  3. ZeroCleare

ZeroCleare

ZeroCleare is a wiper malware that has been used in conjunction with the RawDisk driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the energy and industrial sectors in the Middle East and political targets in Albania.[1][2][3][4]

ID: S1151
Associated Software: ZEROCLEAR
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 August 2024
Last Modified: 04 September 2024
Version Permalink

Associated Software Descriptions

Name Description
ZEROCLEAR

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 Command and Scripting Interpreter

ZeroCleare can receive command line arguments from an operator to corrupt the file system using the RawDisk driver.[3]
.001 PowerShell

ZeroCleare can use a malicious PowerShell script to bypass Windows controls.[4]
Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

ZeroCleare can corrupt the file system and wipe the system drive on targeted hosts.[3][2][4]
Enterprise T1068 Exploitation for Privilege Escalation

ZeroCleare has used a vulnerable signed VBoxDrv driver to bypass Microsoft Driver Signature Enforcement (DSE) protections and subsequently load the unsigned RawDisk driver.[4]
Enterprise T1070 .004 Indicator Removal: File Deletion

ZeroCleare has the ability to uninstall the RawDisk driver and delete the rwdsk file on disk.[3][2]
Enterprise T1106 Native API

ZeroCleare can call the GetSystemDirectoryW API to locate the system directory.[3]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

ZeroCleare can deploy a vulnerable, signed driver on a compromised host to bypass operating system safeguards.[4]
Enterprise T1082 System Information Discovery

ZeroCleare can use the IOCTL_DISK_GET_DRIVE_GEOMETRY_EX, IOCTL_DISK_GET_DRIVE_GEOMETRY, and IOCTL_DISK_GET_LENGTH_INFO system calls to compute disk size.[3]

Groups That Use This Software

ID Name References
G0049 OilRig

OilRig collaborated on the destructive portion of the ZeroCleare attack.[4]
G1001 HEXANE

HEXANE probed victim infrastructure in support of HomeLand Justice.[1]

Campaigns

ID Name Description
C0038 HomeLand Justice

[2][1]

References

  1. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  2. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  1. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  2. Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.