Security Experts:

Connect with us

Hi, what are you looking for?



Iran-Linked ZeroCleare Wiper Targets Energy, Industrial Sectors in Middle East

Researchers at IBM X-Force have come across what appears to be a new piece of malware that has been used in highly targeted attacks aimed at energy and industrial organizations in the Middle East.

Researchers at IBM X-Force have come across what appears to be a new piece of malware that has been used in highly targeted attacks aimed at energy and industrial organizations in the Middle East.

Dubbed ZeroCleare based on a path in its binary file, the malware has been described by IBM as a destructive wiper and it has been linked to Iranian hacker groups. The company believes this may be a recently created piece of malware and the campaign its researchers analyzed may have been the first to use ZeroCleare.

ZeroCleare is similar to the notorious Shamoon malware and it’s designed to overwrite the master boot record (MBR) and disk partitions of devices running Windows. Similar to Shamoon, ZeroCleare relies on the legitimate EldoS RawDisk tool to achieve its goal.

Also similar to Shamoon, this new piece of malware had spread to many devices on the network of the targeted organizations, enabling the attackers to cause serious damage. Despite these similarities, IBM believes there are enough significant differences to view ZeroCleare as a separate malware family.

The company’s analysis of the malware revealed that ZeroCleare was likely the work of at least two Iran-based threat groups, including OilRig (aka APT34 and ITG13) and Elfin (aka APT33 and Hive0016).

According to IBM, ZeroCleare can target both 32-bit and 64-bit Windows systems. In the case of 64-bit systems, which prevent the execution of drivers that are not signed by Microsoft, the malware relies on an intentionally vulnerable driver that is signed by Microsoft, which in turn loads the unsigned EldoS RawDisk driver, which is needed to wipe the machine.

The attack was linked to Iran partly based on the use of infrastructure previously used by groups believed to be operating out of Iran. It was reported recently that the infrastructure set up by one of these Iranian groups was hijacked by the Russia-linked threat actor known as Turla, but IBM does not believe that the Russian group was behind the ZeroCleare attacks.

“Looking at the geographical region hit by the ZeroCleare malware, it is not the first time the Middle East has seen destructive attacks target its energy sector. In addition to underpinning the economies of several Gulf nations, the Middle Eastern petrochemical market, for example, hosts approximately 64.5 percent of the world’s proven oil reserves, according to OPEC, making it a vital center of global energy architecture. Destructive cyberattacks against energy infrastructure in this arena, therefore, represent a high-impact threat to both regional and international markets,” explained Limor Kessem, executive security advisor at IBM.

Related: ‘xHunt’ Campaign Targets Kuwait Transportation and Shipping Sector

Related: Iranian Hackers Use New Malware in Recent Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...