S1151 ZeroCleare
ZeroCleare is a wiper malware that has been used in conjunction with the RawDisk driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the energy and industrial sectors in the Middle East and political targets in Albania.4123
| Item | Value |
|---|---|
| ID | S1151 |
| Associated Names | ZEROCLEAR |
| Type | MALWARE |
| Version | 1.0 |
| Created | 08 August 2024 |
| Last Modified | 04 September 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| ZEROCLEAR | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | ZeroCleare can receive command line arguments from an operator to corrupt the file system using the RawDisk driver.2 |
| enterprise | T1059.001 | PowerShell | ZeroCleare can use a malicious PowerShell script to bypass Windows controls.3 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.002 | Disk Structure Wipe | ZeroCleare can corrupt the file system and wipe the system drive on targeted hosts.213 |
| enterprise | T1068 | Exploitation for Privilege Escalation | ZeroCleare has used a vulnerable signed VBoxDrv driver to bypass Microsoft Driver Signature Enforcement (DSE) protections and subsequently load the unsigned RawDisk driver.3 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | ZeroCleare has the ability to uninstall the RawDisk driver and delete the rwdsk file on disk.21 |
| enterprise | T1680 | Local Storage Discovery | ZeroCleare can use the IOCTL_DISK_GET_DRIVE_GEOMETRY_EX, IOCTL_DISK_GET_DRIVE_GEOMETRY, and IOCTL_DISK_GET_LENGTH_INFO system calls to compute disk size.2 |
| enterprise | T1106 | Native API | ZeroCleare can call the GetSystemDirectoryW API to locate the system directory.2 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | ZeroCleare can deploy a vulnerable, signed driver on a compromised host to bypass operating system safeguards.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0049 | OilRig | OilRig collaborated on the destructive portion of the ZeroCleare attack.3 |
| G1001 | HEXANE | HEXANE probed victim infrastructure in support of HomeLand Justice.4 |
References
-
CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024. ↩↩↩
-
Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. ↩↩↩↩↩↩↩
-
Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024. ↩↩↩↩↩↩
-
MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. ↩↩