Security analysts from the National Cyber Security Center (NCSC), a part of Saudi Arabia’s National Cyber Security Authority (NCSA), have discovered a new data wiping malware “Dustman” that hit BAPCO, Bahrain’s national oil company, on December 29, 2019. Dustman is designed to delete data from infected computers. The malware was named after the filename and string embedded in the malware.
The malware attack, aimed notoriously at BAPCO, was partially successful as it affected only a certain module of its extensive network. The company was able to detect and contain this malware attack immediately and thus continued normal services after the attack.
Dustman: An evolved version of ZeroCleare
Iran has recently launched a string of data deleting malwares like “Shamoon” and “ZeroCleare”. Dustman belongs to the same family as identified from the traces found in its malicious code and could be an evolved version of ZeroCleare malware.
Both Dustman and ZeroCleare use the exact same skeleton, Turla Driver Loader (TDL), published on March 2019 on GitHub. What’s different in Dustman though is that it has been optimized to deliver all drivers and payloads in a single executable file, as opposed to the two executable files required in ZeroCleare. Analysts also noted that ZeroCleare wipes the data by overwriting it with garbage data (0x55), while Dustman only overwrites the data. The names of Indicators of Compromise (IOC) have been issued as dustman.exe, elrawdsk.exe, assistant.sys and agent.exe.
Earlier, in its research report, IBM stated that the ZeroCleare malware was a creation of two hacking groups xHunt and APT34. It said that the malware was developed by Iranian state-sponsored hackers and was also used in cyberattacks against energy companies in the Middle East region. It further added that the hackers launch brute-force attacks to gain access to weakly secured network systems. Once attackers infect the target device, they spread the malware across the company’s network as the last step of infection.