viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
New Iranian wiper discovered in attacks on Middle Eastern companies
Technology

New Iranian wiper discovered in attacks on Middle Eastern companies

04/12/2019

The flag of Iran.

IBM X-Force, the company’s security unit, has published a report of a new form of “wiper” malware connected to threat groups in Iran and used in a destructive attack against companies in the Middle East. The sample was discovered in a response to an attack on what an IBM spokesperson described as “a new environment in the [Middle East]—not in Saudi Arabia, but another regional rival of Iran.”

Dubbed ZeroCleare, the malware is “a likely collaboration between Iranian state-sponsored groups,” according to a report by IBM X-Force researchers. The attacks were targeted against specific organizations and used brute-force password attacks to gain access to network resources. The initial phase of the attacks was launched from Amsterdam IP addresses owned by a group tied to what IBM refers to as the “ITG13 Group”—also known as “Oilrig” and APT34. Another Iranian threat group may have used the same addresses to access accounts prior to the wiper campaign.

“While X-Force IRIS cannot attribute the activity observed during the destructive phase of the ZeroCleare campaign,” the researchers noted, “we assess that high-level similarities with other Iranian threat actors, including the reliance on ASPX web shells and compromised VPN accounts, the link to ITG13 activity, and the attack aligning with Iranian objectives in the region, make it likely this attack was executed by one or more Iranian threat groups.”

In addition to brute force attacks on network accounts, the attackers exploited a SharePoint vulnerability to drop web shells on a SharePoint server. These included China Chopper, Tunna, and another Active Server Pages-based webshell named “extensions.aspx,” which “shared similarities with the ITG13 tool known as TWOFACE/SEASHARPEE,” the IBM researchers reported. They also attempted to install TeamViewer remote access software and used a modified version of the Mimikatz credential-stealing tool—obfuscated to hide its intent—to steal more network credentials off the compromised servers. From there, they moved out across the network to spread the ZeroCleare malware.

Hiding the driver

ZeroCleare, like the Shamoon wiper, uses the legitimate RawDisk software driver from EldoS to gain direct access to disk drives and write data. Since the EldoS driver is not signed, however, ZeroCleare uses a vulnerable but signed driver from a version of Oracle’s VirtualBox virtual machine software to bypass signature checking of the driver—allowing it to attack 64-bit versions of Windows. The VBoxDrv driver, which passes Microsoft’s Driver Signature enforcement, is loaded by an intermediary executable—in the IBM X-Force detected cases, the file was named soy.exe. After loading the vulnerable VirtualBox driver, the malware exploits a bug in the driver to load the unsigned EldoS driver. On 32-bit Windows systems, which lack Driver Signature Enforcement, the malware can dispense with the workaround and run the EldoS driver directly.

The payload of the malware is called ClientUpdate.exe. Using the EldoS driver, it overwrites the Master Boot Record and disk partitions of the infected machine.

The victims in the attacks were in the energy and industrial sectors in countries that Iran sees as rivals in the Persian Gulf. And this isn’t the only ongoing Iran-tied campaign—there have been anecdotal reports of other attacks from Iran’s APT33 against US and other nations’ energy companies, and another Iranian-tied threat group targeted a US presidential campaign (President Trump’s, according to Reuters).

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

Google Play’s malicious app problem infects 1.7 million more devices
Hackers have been using Google Play for years to distribute …

Google Play has been spreading advanced Android malware for years

This bot hunts software bugs for the Pentagon
Late last year, David Haynes, a security engineer at the …

This bot hunts software bugs for the Pentagon

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • Zyxel patches critical vulnerability that can allow Firewall and VPN hijacks
    Zyxel patches critical vulnerability that can allow …
    05/04/2022
  • How Counterplay Games approached Godfall for PS5 and PC
    How Counterplay Games approached Godfall for PS5 …
    24/10/2020
  • Jason’s Gloriously Geeky Gift Guide for the Geezer Geeks in your life
    Jason’s Gloriously Geeky Gift Guide for the …
    24/11/2019
  • Malicious Chrome and Edge add-ons had a novel way to hide on 3 million devices
    Malicious Chrome and Edge add-ons had a …
    04/02/2021
  • Windows 11: The Ars Technica review
    Windows 11: The Ars Technica review
    04/10/2021

Popular Posts

  • 10 Real Historical Events That Inspired ‘Game …
    22/05/2022 0
  • Top 10 Most Singular Encounters with Unidentified …
    24/04/2022 0
  • 10 Creepy Apocalyptical Predictions – Listverse
    25/04/2022 0
  • 10 Meetings That Shaped History – Listverse
    25/04/2022 0
  • The first “Meta Store” is opening in California in May
    The first “Meta Store” is opening in …
    25/04/2022 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2022 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh