ZeroCleare

APT19 downloaded and launched code within a SCT file; APT32 used COM scriptlets to download Cobalt Strike beacons; APT37 used Ruby scripts to execute payloads; ArcaneDoor included the adversary executing command line interface (CLI) commands.

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

Dragonfly has used the command line for execution. Empire uses a command-line interface to interact with systems. StarProxy has used the command line for execution of commands.

Medusa Group has utilized vulnerable or signed drivers to kill or delete services associated with endpoint detection and response (EDR) tools. ZeroCleare can deploy a vulnerable, signed driver on a compromised host to bypass operating system safeguards.

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

VOID MANTICORE has masqueraded malicious payloads to resemble legitimate applications. During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

ZeroCleare and Dustman mirrored Shamoon’s reliance on modified legitimate drivers to achieve destructive effects.

The content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.

Instead, they opted for rapid, recursive file-level destruction, overwriting targeted files with 4096-byte blocks of random data.

“AcidPour can identify various system locations and mapped devices on Linux systems as a precursor to wiping activity.”

APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR). APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable. CaddyWiper has the ability to destroy information about a physical drive's partitions including the MBR, GPT, and partition entries.

VOID MANTICORE has deployed custom wipers that overwrite system files and the host devices master boot records (MBR) to corrupt or destroy files. During HomeLand Justice, threat actors used a version of ZeroCleare to wipe disk drives on targeted hosts.

"Play has used Base64-encoded PowerShell scripts to disable Microsoft Defender," "StrongPity can use PowerShell to add files to the Windows Defender exclusions list," and "ZeroCleare can use a malicious PowerShell script to bypass Windows controls."