The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Latest samples of ZeroCleare, Iranian state-sponsored malware, available on PolySwarm

Jan 9, 2020 11:09:01 AM / by PolySwarm Tech Team

malware_iran

Today, PolySwarm, a threat intelligence platform used to detect new and emerging malware, releases information about a new variant of ZeroCleare (a destructive malware attributed to Iran). PolySwarm Community (free) and Enterprise users were able access to the full content of this sample before it appeared on VirusTotal.

ZeroCleare was first discovered and attributed to Iran by IBM X-Force in December 2019, when it was  used to target Industrial Control System (ICS) and SCADA operators in the Middle East. ZeroCleare is particularly dangerous as it leverages domain controllers for propagation and thus can spread rapidly through an organization.

“We recovered a sample of the initial stage for the most recent iteration of this ZeroCleare family and made it available on PolySwarm to help organizations build an effective defense,” says PolySwarm CTO Paul Makowski. “In addition, we are providing a YARA rule to the public, which can be deployed to block  this variant at the mail server, firewall and perimeter. As of this writing, several engines on PolySwarm are detecting the malware.”

PolySwarm has provided a YARA rule (available below) which should be useful in detecting this malware variant in email and other vectors security teams might be monitoring. Additionally, you can download the sample for free on PolySwarm. Simply create a free account to access the sample-download feature.  

Data destroyer malware like ZeroCleare and related families are of major concern to banking and ICS/SCADA industries. Enterprises should ensure that their systems are up to date and they are using all the detection tools available to block and detect threats. Third party reporting indicates initial infection was via unpatched vulnerability in VPN appliances; it is especially crucial to ensure these appliances have been updated.

PolySwarm’s founding team is made up of former NSA and DoD  security experts driven to improve the threat intelligence landscape. PolySwarm is an open source, crowdsourced model where specialized security experts and niche antivirus companies compete to detect threats in real-time to protect enterprises.

TECHNICAL INFORMATION: 

First-Stage of ZeroCleare - see scan results here in PolySwarm. (YARA rule provided below to detect this):

https://polyswarm.network/scan/results/file/a1029d20f595ff92746fd9d1d351a215cdffbdd7f0b19ba1859f1c211fddc060

Malicious Payload:

https://polyswarm.network/scan/results/file/2fc39463b6db44873c9c07724ac28b63cdd72f5863a4a7064883e3afdd141f8d

Initial detailed, IBM report: 

https://www.ibm.com/downloads/cas/OAJ4VZNJ

YARA RULE:

rule ZeroCleare_PS1 : APT
{
    meta:
        author = "PolySwarm"
        date = "07-01-2020"

    strings:
        $filename = "ClientUpdate.ps1"
        $deckey = "DECKey"
        $var = "ContentData"
        $params = "SilentlyContinue"
        $sleep = "Start-Sleep 5"
        $decrypt_fnc = "Decrypte-Content"
        $base64_data = "$ClientData"
        // can be payload specific
        $payload = "gidhUoEOr4Kr+F9le1lZZk1Ll6OxRxKlOgFsa2ZlyhpEIc1bqsvNSskTc4ifiNqKZ3QI38MFCNrRvgU0d2ASasAhW53Pl58vty+IHa8hmlQnUmFa7eT9kqJcpYS43htJ1vm"

    condition:
        all of them
}

Other files associated with this threat (the YARA above is for #8):


   File Name, Category, File Hash, Parent
1. ClientUpdate.exe (x64), Wiper, 1a69a02b0cd10b1764521fec4b7376c9, ClientUpdate.ps1
2. ClientUpdate.exe (x86), Wiper, 33f98b613b331b49e272512274669844, ClientUpdate.ps1
3. elrawdsk.sys (x86), Tool, 69b0cec55e4df899e649fa00c2979661, ClientUpdate.ps1
4. soy.exe, Loader, 1ef610b1f9646063f96ad880aad9569d, ClientUpdate.ps1
5. elrawdsk.sys (x64), Tool, 993e9cb95301126debdea7dd66b9e121, soy.exe
6. saddrv.sys, Tool, eaea9ccb40c82af8f3867cd0f4dd5e9d, soy.exe
7. ClientUpdate.txt, PowerShell Script, 1dbf3e9c84a89512a52da5b0bb682460, N/A
8. ClientUpdate.ps1, PowerShell Script, 08dc0073537b588d40deda1f31893c52, N/A

 

***

Interested in obtaining new and emerging malware samples coming into PolySwarm, and see how you can benefit from this type of intelligence? Get in touch with us here. 

***

Subscribe to PolySwarm's email list to get updates about emerging malware, and company news and happenings. (Subscribe via the box in the right column, or click here.)

 

 

Topics: Insider, Explained, PolySwarm, Threat Hunting, Research

PolySwarm Tech Team

Written by PolySwarm Tech Team