Dustman is the successor of Zeroclear malware
In recent days, events tied to Iran are making headlines in international media.
The military-political tension between U.S and Iran, cold for decades, is now heated again. This tension has rendered rumors of Iran’s retaliation with malign cyber attacks by Iranian hackers.
Then the news arrived. In the first days of 2020 a malware named Dustman targeted Bahrain’s national oil company Bapco, according to Saudi Arabian cybersecurity authorities.
The history of Iranian hackers activities dates back to 2012. At that time Iranian hackers attacked Aramco, the world’s largest oil company, through the then unknown Shamoon malware. This attack resulted in the complete wiping of data on 32,000 Aramco computers.
In 2019 new malwares surfaced in the Middle East cyber space, according to a recently published report. Dustman surfaced in the final days of 2019 while ZeroClear was detected in the mid 2019. Experts believe Dustman and ZeroClear are produced by the same hacker group and it appears that Dustman is a new and modern version of ZeroClear.
Attack on Bahrain’s Bapco with Dustman
This attack took place on December 29th through a vulnerability detected in VPN servers of the victim network by Iranian state sponsored hackers. This vulnerability gave hackers authority over the domain, enabling them to disable the anti-virus management system for all machines on the victim network.
The attackers then went on to wipe the server storage manually. The next step was to dispatch the Dustman malware on every machine in the network. This was the most interesting part of this attack, considering the fact that the difficult task of infecting all machines with malware was carried out through the central antivirus management service on the network.
Central antivirus management services, gaining popularity these days through system administrators, are meant to facilitate and upgrade the safeguard of a network. In this attack, however, this tool helped hackers infect all machines on Bapco’s network. After copying and activating Dustman on every computer in the network, this malware produces three new files on the victim machine, gradually wiping the data on the infected host.
By this attack the data residing on some Bapco machine were wiped out while some survived the attack thanks to be being in sleep mode. As their final step, attackers began eliminating all their tracks and fingerprints on the network.
History of Dustman
Some experts on infosec believe this malware is produced by state sponsored hackers of Iran. The reason of this believe, is the similarities in structural designs and technique used in both malwares Dustman and ZeroClear. Maybe it is interesting to know the hacker group who made this malware left a text in the source code of Dustman wishing the death of Bin Salman. Also some experts believe this malware belongs to APT34 also known as Oilrig, a notorious Iranian state hacker group.
In the year 2019 we witnessed an increase in Iranian hackers activities, but now with the political tension between U.S and Iran at its peak, the possibility of more attacks on Western critical infrastructure rises.