Zerocleare

ZeroCleare is a type of malware, specifically a wiper, known for its destructive capabilities. It targets computer systems and networks, rendering them unusable by deleting critical files and data. This malicious software has been linked to several actors associated with Iran's Ministry of Intelligence and Security (MOIS), as evidenced by the license key used in the wiper being identical to the one utilized in ZeroCleare. The malware gained notoriety when it was reportedly used in an attack on Bapco, a Bahraini national oil company, in late December 2019. This variant of ZeroCleare, known as Dustman, caused significant disruption. A comparative analysis of two waves of cyberattacks against Albanian government organizations reveals the use of both ROADSWEEP ransomware and ZEROCLEARE wiper. These attacks demonstrated a shift in tactics from previous Iranian-associated IT disruptive activities, which primarily involved the use of Disttrack-like malware variants weaponizing the ElodS RawDisk driver. In the case of the Albanian attacks, when network defenders identified and started responding to the ransomware activity, the cyber actors deployed a version of ZeroCleare destructive malware, indicating a layered approach to their offensive strategy. Historically, in the ZeroCleare and Dustman incidents of 2019, the wiper malware and raw disk drivers were unsigned, meaning they couldn't directly access the raw disk for quick data wiping. However, APT 34, an Iranian-linked threat actor also known as Oilrig, introduced a new method of attack by using a novel wiper malware called ZeroCleare to target oil companies in the Middle East. This evolution in tactics underscores the escalating sophistication of these threat actors and underscores the need for robust cybersecurity measures.