Clearing Disk to Zero, Leaving Admins to Byte the Dust
2019 almost passed without any completely new developments in wiper malware variants until mid-December, when an attack involving a new wiper dubbed ZeroCleare was widely covered in the media. In stark contrast, 2020 has already opened with news about cyber-attacks by the DustMan wiper. It’s been a couple of months since we published an overview of wipers and attacks that took place in the recent years, and with new developments occurring, we can provide additional insight into recent attacks with ZeroCleare and DustMan.
Iran has already established itself as a serious player in the cyber warfare field with targeted attacks dating back to the summer of 2012. Then, it released a destructive disk wiping malware dubbed Shamoon, against oil companies in Saudi Arabia and Qatar damaging approximately 30,000 workstations which lead to a weeklong restoration of their services. Following that, in November 2016 a newer version of Shamoon was seen in further attacks on Saudi Arabia’s energy sector, and again in January 2017 hitting the Saudi ministry of labor and large organizations in the chemical sector.
Like in past attacks, this time the Tactics, Techniques and Procedures (TTP) of the operation is similar. In general, what has changed are the names given to new wiper malware variants - ZeroCleare and DustMan, and a slight addition to the disk wiping toolset. The targets are once again organizations from the industrial sector, with a Middle Eastern origin. Additionally, similarly to Shamoon, ZeroCleare and Dustman have relied on legitimate software to circumvent Windows OS’s security features and anti-malware solutions. Somewhat amusingly, after almost a year since the latest attack with Shamoon v3, the same disk driver was used for the disk wiping functions. EldoS RawDisk driver, a legitimate tool for direct modification of data on computer’s hard drive, was employed ZeroCleare and DustMan for overwriting the MBR (Master Boot Record) and other disks. Just like the RawDisk, since the true intent of dual-use tools cannot always be determined by anti-malware heuristics, it often serves the attackers who successfully avoid detection, allowing them to achieve their destructive goal under the radar. This clever tactic has become a trend that is increasingly being seen in cyberattacks.
ZeroCleare, and its derivative - DustMan, had used an additional driver – VirtualBox’s VBoxDrv kernel driver which is vulnerable to shellcode (CVE-2008-3431). The VBoxDrv allowed ZeroCleare and DustMan to bypass a main Windows security feature - the Driver Signature Enforcement (DSE). The DSE denies drivers that aren’t digitally signed from being loaded under the Windows OS. Since the VBoxDrv is digitally signed it was exploited for loading the EldoS RawDisk driver to accomplish the disk wiping goals. At the core of this method of bypassing the DSE, is a modified version of Turla Driver Loader (TDL) available on GitHub. Dustman is slightly different from ZeroCleare. It delivers all the required payloads and drivers in a single executable, instead of bringing them separately like ZeroCleare did, but overall its functionality is the same.
According to initial reports from IBM’s X-Force, the operation was issued jointly by two Iranian hacking groups – APT34 (OILRIG/Helix) and xHunt. APT34 was working on gaining initial access to targets’ networks and was later joined by xHunt.
Wipers bring destruction to data almost instantly - any EDR product out there, being non-proactive, will be useless in preventing wipers from being executed on the system. Moreover, the dual-use tools, like EldoS RawDisk, often trusted by cyber security solutions, aren’t monitored, posing a high risk when these tools are used with malicious intents. Therefore, the monitoring of dual-use tools is good security practice and should be adopted by admins seeking to secure their IT infrastructure. Nevertheless, only prevention-focused solutions can assist in securing IT assets. Deep Instinct applies cutting-edge deep learning AI technology to predict and prevent these destructive wipers, leaving no chance that any malware will be successful, saving admins from huge headaches and organizations from financial loss.