After a two-year absence, the destructive malware Shamoon (W32.Disttrack.B) re-emerged on Dec. 10 in a new wave of attacks against targets in the Middle East. These latest Shamoon attacks are doubly destructive, since they involve a new wiper (Trojan.Filerase) that deletes files from infected computers before the Shamoon malware wipes the master boot record.
Unlike previous Shamoon attacks, these latest attacks involve a new, second piece of wiping malware (Trojan.Filerase). This malware will delete and overwrite files on the infected computer. Shamoon itself will meanwhile erase the master boot record of the computer, rendering it unusable.
The addition of the Filerase wiper makes these attacks more destructive than use of the Shamoon malware alone. While a computer infected by Shamoon could be unusable, files on the hard disk may be forensically recoverable. However, if the files are first wiped by the Filerase malware, recovery becomes impossible.
Filerase is spread across the victim’s network from one initial computer using a list of remote computers. This list is in the form of a text file and is unique to each victim, meaning the attackers likely gathered this information during an earlier reconnaissance phase of the intrusion. This list is first copied by a component called OCLC.exe and passed on to another tool called Spreader.exe. The Spreader component will then copy Filerase to all the computers listed. It will then simultaneously trigger the Filerase malware on all infected machines.
It is possible that the Shamoon malware itself was spread via these same tools, but this is unknown. In at least one instance, Shamoon was executed using PsExec, indicating that the attackers had access to credentials for the network.
News of the attacks first emerged on Dec. 10 when Italian oil services firm Saipem said that it had been hit by a cyber attack against its servers in the Middle East. Two days later, the company said that Shamoon had been used in the attack, which affected between 300 and 400 servers and up to 100 personal computers.
Symantec has found evidence of attacks against two other organizations during the same week, in Saudi Arabia and the United Arab Emirates. Both organizations are involved in the oil and gas industry.
One of the new Shamoon victims Symantec observed the organization in Saudi Arabia had recently also been attacked by another group Symantec calls Elfin (aka APT33) and had been infected with the Stonedrill malware (Trojan.Stonedrill). There were additional attacks against this organization in 2018 that may have been related to Elfin or could have been the work of yet another group.
The proximity of the Elfin and the Shamoon attacks against this organization means it is possible that the two incidents are linked.
Customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have received reports on Shamoon which detail methods of detecting and thwarting activities of this adversary.
No comments:
Post a Comment