Home News Iranian Hackers Deploy New Data-Wiping Malware: IBM

Iranian Hackers Deploy New Data-Wiping Malware: IBM

BotenaGo, malware over encrypted connections

Security analysts from IBM recently discovered a data-wiping malware dubbed as ZeroCleare.

IBM claims that the malware was developed by Iranian state-sponsored hackers and used in cyber-attacks against energy companies in the Middle East region. However, the company didn’t mention the companies’ names that have been targeted by ZeroCleare malware.

In its research report, IBM stated the malware is the creation of two hacking groups namely xHunt and APT34.

Describing the ZeroCleare attack, IBM stated that ZeroCleare is a Wiper malware designed to delete information from an infected host. The attackers can use this Wiper malware to hide their intrusions by deleting crucial forensic evidence.

 ZeroCleare’s Infection Flow

Researchers said that the hackers launch brute-force attacks to gain access to weakly secured network systems. Once attackers infect the target device, they spread the malware across the company’s network as the last step of infection.

“The ZeroCleare wiper is part of the final stage of the overall attack. It is designed to deploy two different ways, adapted to 32-bit and 64-bit systems. The general flow of events on 64-bit machines includes using a vulnerable, signed driver and then exploiting it on the target device to allow ZeroCleare to bypass the Windows hardware abstraction layer and avoid some operating system safeguards that prevent unsigned drivers from running on 64-bit machines,” reads IBM’s report.

In January this year, a report from FireEye claimed that an undetected hacker group from Iran allegedly stole travel and mobile data of individuals in the Middle East region.

According to FireEye, the Iranian group dubbed APT39 has targeted several people in the Middle East, especially in the Gulf region. It’s believed that the espionage group is allegedly providing information to the Iranian government. FireEye stated that they had been tracking APT39 activities since 2014 to protect organizations from cyber incidents.

FireEye also observed that the group uses Persian language words in encrypting data. APT39’s activities are reportedly focused on the telecommunications sector, the travel, and the IT industry, and allegedly represent Iran’s potential global operational reach and how it collects key data.