Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент ZeroCleare
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
ZeroCleare
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

ZeroCleare

ZeroCleare is a wiper malware that has been used in conjunction with the RawDisk driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the energy and industrial sectors in the Middle East and political targets in Albania.(Citation: Microsoft Albanian Government Attacks September 2022)(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Mandiant ROADSWEEP August 2022)(Citation: IBM ZeroCleare Wiper December 2019)
ID: S1151
Associated Software: ZEROCLEAR
Type: MALWARE
Platforms: Windows
Created: 08 Aug 2024
Last Modified: 04 Sep 2024

Associated Software Descriptions
Name Description
ZEROCLEAR (Citation: Mandiant ROADSWEEP August 2022)

Techniques Used
Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

ZeroCleare can use a malicious PowerShell script to bypass Windows controls.(Citation: IBM ZeroCleare Wiper December 2019)
Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

ZeroCleare can corrupt the file system and wipe the system drive on targeted hosts.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)(Citation: IBM ZeroCleare Wiper December 2019)
Enterprise T1070 .004 Indicator Removal: File Deletion

ZeroCleare has the ability to uninstall the RawDisk driver and delete the `rwdsk` file on disk.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

ZeroCleare can deploy a vulnerable, signed driver on a compromised host to bypass operating system safeguards.(Citation: IBM ZeroCleare Wiper December 2019)

Groups That Use This Software
ID Name References

(Citation: CISA Iran Albanian Attacks September 2022) (Citation: Microsoft Albanian Government Attacks September 2022)

G0049 OilRig

(Citation: IBM ZeroCleare Wiper December 2019)

References

  1. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  2. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  3. Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.
  4. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.