Cybersecurity researchers tend to label the most advanced hacking groups as APTs (Advanced Persistent Threats). APTs are often hired by governments to carry out shady operations. However, not all APTs are government-sponsored, and many operate on their own, pursuing their own agendas. Most APT groups would either carry out attacks with the goal of collecting information on their target or launch purely financially-motivated operations. However, there are certain APTs whose aim is to wreak as much havoc as possible and cause as much damage as they can. Disk wipers are the most commonly malware used in such threatening campaigns. Disk wipers’ aim is to destroy the data stored in the target’s hard drive and removable storage devices. If a backup of your files is not available and you fall victim to a disk wiper, there is no way to recover your data.
Table of Contents
Bears Similarities with the Shamoon Wiper
Recently, malware researchers spotted a new disk wiper in the wild. The name of this brand-new threat is ZeroCleare. Upon studying the ZeroCleare wiper, experts found some significant similarities with one of the most popular disk wipers - Shamoon. However, this does not mean that the ZeroCleare wiper is a copy of the Shamoon threat because there also are various important differences. This means that these threats do not belong to the same malware family, but the authors of the ZeroCleare wiper have likely borrowed code from the notorious Shamoon threat.
Overwrites the MBR
To compromise a targeted host, the attackers appear to take advantage of remote desktop connections and network accounts that have been secured poorly and are thus rather vulnerable. Upon infecting a computer, the ZeroCleare wiper will only be launched after the operators of the threat have used other malware families. The attackers have opted to use a genuine toolkit named ‘EldoS RawDisk’ to carry out the threatening operation. Often, legitimate toolkits like the ‘EldoS RawDisk’ are used in cyber-attacks because they would allow the attackers to evade security checks and anti-malware measures. When the ZeroCleare malware is launched, it will begin overwriting the MBR (Master Boot Record), and destroying the user’s data.
Malware experts have not been able to determine which APT is propagating the ZeroCleare wiper or what their end goal is. Some researchers believe that the threat actor behind the ZeroCleare wiper may be acting on behalf of a foreign government.
When it comes to malware threats making a mess on an infected system, computer users impacted by the threat tend to dive deep into the reasons for the disorder on their system. As it turns out, ZeroCleare is a particular type of threat that looks to have been leveraged by hackers or cybercrooks to wage attacks on industries. Just in the past year, according to IBM’s Security Intelligence firm, there has been a 200 percent increase in the amount of destructive attacks that their X-Force IRIS team has seen in instances of helping companies respond to such cases. ZeroCleare is a threat that has been used to mostly attack energy and industrial sectors, which has seen a steady increase in attacks by aggressive and sophisticated malware in the recent years.
Many parts of Europe and the Middle East have seen a rather high number of attacks by ZeroCleare and other similar threats. While ZeroCleare attacks are not limited to specific areas, cybercrooks look to launch their attacks in areas due to motivational factors that could ultimately affect the economy of a rival country.
ZeroCleare’s complexities make it more dangerous
The complexities of ZeroCleare are expansive. Hackers have created ZeroCleare in a way to bypass certain safeguards within the Windows operating system, mainly the ones that prevent unsigned drivers from running on certain systems. In the case of ZeroCleare, 64-bit Windows computers and their ability to safeguard against unsigned drivers with Driver Signature Enforcement (DSE) is basically null and void when under the attack of ZeroCleare. With such, it is apparent that ZeroCleare is free range to exploit a 64-bit system, which is thought by some to be more secure than a 32-bit system. Either way, ZeroCleare is prone to causing major issues and could result in an infected computer being brought to its knees and virtually useless after affecting the Master Boot Record.
Computer users are always urged to take preventative measures to avoid coming under attack from threats like ZeroCleare. In the landscape of aggressive ransomware and other threats that fundamentally cause a loss of stored data, security firms cannot stress enough how important it is to take proactive measures to avoid ZeroCleare attacks as it may not leave much room for recovery of a damaged system.