New Variants of ZeroCleare Data Wiper Malware Attributed to Iran

January 30, 2020

In 2019 December, IBM X-Force team published a report (https://www.ibm.com/downloads/cas/OAJ4VZNJ) detailing new variants of ZeroCleare: a data-destroying malware family attributed to Iran. According to the IBM X-Force report, there are several important points -

  1. The initial access IP address of this ZeroCleare is 193.111.152.13, which was associated with ITG13 in recent Oilrig/APT34 leaks, and as also reported by Palo Alto, was used to scan target networks and access accounts as early as the fall of 2018. Another Iranian threat group may have used the same addresses to access accounts prior to the wiper campaign. These variants of ZeroCleare are highly possibly attributed to Iran.

  2. IBM X-Force team confirmed that these malware are targeting mostly the Energy Sector in the Middle East. The attacking method of ZeroCleare is wiping the data. This is much worse than ransomware. If the malware outbreaks, the data will be destroyed.

Lionic/AegisLab is one of the first several anti-virus vendors which can detect these variants of ZeroCleare. When we obtained this news from our information exchange channel, our anti-virus experts locate these malware soon from our daily operated virus sample collection. The following are the example screenshots of VirusTotal.

Figure 1 - One ZeroCleare variant whose SHA1 is cc99395963de6da81dac96929a8e234c8415714a

Figure 2 - One ZeroCleare variant whose SHA1 is a7133c316c534d1331c801bbcd3f4c62141013a1

As your strong network security partner, we are keeping watching the security activities in the world. All customers who use Lionic/AegisLab products or signature services will be safe from this ZeroCleare threat.

 

 

About Lionic Corporation

Lionic Corporation is a worldwide supplier of innovative Deep Packet Inspection solutions. The technologies of Lionic include the complete DPI-based software engine and related management software which offer the Security Solutions that addresses anti-virus, anti-intrusion, anti-webthreat; and the Content Management Solutions that addresses application identification, device identification, application based QoS, web content filtering, parental control.

Lionic's security and content management solutions, cloud-based scan services and signature subscription service are widely deployed in the world already. They help service providers, network appliance manufacturers, semiconductor companies, etc. to enable the next generation of business routers, residential gateways, SD WAN edges and cloud gateways, advanced firewalls, UTMs, Smart NICs and mobile devices. Those products powered by Lionic provide better network management and protect the world’s networks from an ever increasing level of security threats.