The mop ... an Iranian electronic virus targeting the region

X-Force - IBM's security arm - has published a report on a new strain of malware related to Iranian state-backed piracy groups used in a devastating attack against companies in the Middle East, and IBM warned of It targets the industrial and energy sectors in the region.

According to the report issued by researchers at XForce, the program, called "Mop" or "ZeroCleare", is the result of potential cooperation between groups sponsored by the Iranian state.

The attacks targeted specific organizations, used passwords to access network resources, and the first phase of the attacks was launched from "IP" addresses in Amsterdam owned by a group linked to what IBM refers to as "ITG13 group" ( ITG13 Group) Also known as Oilrig and APT34 (APT34), another Iranian threat group may have used the same addresses to access the accounts.

IBM did not mention the companies targeted and its data erased in the recent attacks, but made it clear through the 28-page report that the "Zero-Clear" malware was working to erase the data.

The American company said that Xeroclear resembles Shamoon, one of the most dangerous and destructive strains of malware in the past decade, but unlike many previous cyber attacks usually carried out by one group, IBM explained that this malicious software and the attacks behind it appeared Cooperation efforts between two government-backed Iranian piracy units.

Usually, we use such malware to hide intrusions by deleting important clues or destroying the victim’s ability to carry out their usual business.

The researchers clarified that attacks usually start with hackers trying to guess passwords in order to access corporate network accounts and resources.

Once the attackers gain access to the company’s server account, they exploit a security vulnerability to install threats such as China Chopper and Tunna, in order to reach the largest possible number of computers within the network, and after the programs obtain the features, a toolkit for interactivity will be loaded. With files and disks.

Victims of the attacks were in the energy and industrial sectors in countries that Iran regards as rivals in the Persian Gulf. This is not the only ongoing campaign linked to Iran. Unconfirmed reports have pointed to other attacks by the Iranian APT33 against energy companies in the United States and other countries, and another threat group linked to Iran has targeted a US presidential campaign.