Today, PolySwarm, a threat intelligence platform used to detect new and emerging malware, releases information about a new variant of ZeroCleare (a destructive malware attributed to Iran). PolySwarm Community (free) and Enterprise users were able access to the full content of this sample before it appeared on VirusTotal.
ZeroCleare was first discovered and attributed to Iran by IBM X-Force in December 2019, when it was used to target Industrial Control System (ICS) and SCADA operators in the Middle East. ZeroCleare is particularly dangerous as it leverages domain controllers for propagation and thus can spread rapidly through an organization.
“We recovered a sample of the initial stage for the most recent iteration of this ZeroCleare family and made it available on PolySwarm to help organizations build an effective defense,” says PolySwarm CTO Paul Makowski. “In addition, we are providing a YARA rule to the public, which can be deployed to block this variant at the mail server, firewall and perimeter. As of this writing, several engines on PolySwarm are detecting the malware.”
PolySwarm has provided a YARA rule (available below) which should be useful in detecting this malware variant in email and other vectors security teams might be monitoring. Additionally, you can download the sample for free on PolySwarm. Simply create a free account to access the sample-download feature.
Data destroyer malware like ZeroCleare and related families are of major concern to banking and ICS/SCADA industries. Enterprises should ensure that their systems are up to date and they are using all the detection tools available to block and detect threats. Third party reporting indicates initial infection was via unpatched vulnerability in VPN appliances; it is especially crucial to ensure these appliances have been updated.
PolySwarm’s founding team is made up of former NSA and DoD security experts driven to improve the threat intelligence landscape. PolySwarm is an open source, crowdsourced model where specialized security experts and niche antivirus companies compete to detect threats in real-time to protect enterprises.
TECHNICAL INFORMATION:
First-Stage of ZeroCleare - see scan results here in PolySwarm. (YARA rule provided below to detect this):
Malicious Payload:
Initial detailed, IBM report:
https://www.ibm.com/downloads/cas/OAJ4VZNJ
YARA RULE:
rule ZeroCleare_PS1 : APT
{
meta:
author = "PolySwarm"
date = "07-01-2020"
strings:
$filename = "ClientUpdate.ps1"
$deckey = "DECKey"
$var = "ContentData"
$params = "SilentlyContinue"
$sleep = "Start-Sleep 5"
$decrypt_fnc = "Decrypte-Content"
$base64_data = "$ClientData"
// can be payload specific
$payload = "gidhUoEOr4Kr+F9le1lZZk1Ll6OxRxKlOgFsa2ZlyhpEIc1bqsvNSskTc4ifiNqKZ3QI38MFCNrRvgU0d2ASasAhW53Pl58vty+IHa8hmlQnUmFa7eT9kqJcpYS43htJ1vm"
condition:
all of them
}
Other files associated with this threat (the YARA above is for #8):
File Name, Category, File Hash, Parent
1. ClientUpdate.exe (x64), Wiper, 1a69a02b0cd10b1764521fec4b7376c9, ClientUpdate.ps1
2. ClientUpdate.exe (x86), Wiper, 33f98b613b331b49e272512274669844, ClientUpdate.ps1
3. elrawdsk.sys (x86), Tool, 69b0cec55e4df899e649fa00c2979661, ClientUpdate.ps1
4. soy.exe, Loader, 1ef610b1f9646063f96ad880aad9569d, ClientUpdate.ps1
5. elrawdsk.sys (x64), Tool, 993e9cb95301126debdea7dd66b9e121, soy.exe
6. saddrv.sys, Tool, eaea9ccb40c82af8f3867cd0f4dd5e9d, soy.exe
7. ClientUpdate.txt, PowerShell Script, 1dbf3e9c84a89512a52da5b0bb682460, N/A
8. ClientUpdate.ps1, PowerShell Script, 08dc0073537b588d40deda1f31893c52, N/A
***
Interested in obtaining new and emerging malware samples coming into PolySwarm, and see how you can benefit from this type of intelligence? Get in touch with us here.
***
Subscribe to PolySwarm's email list to get updates about emerging malware, and company news and happenings. (Subscribe via the box in the right column, or click here.)