We detected the Shamoon malware for the first time in August 15th, 2012, when the Saudi Arabia’s oil company, Saudi Aramco announced that its systems and its internal network were victims of a cyber-attack. According to the company, Shamoon infected more than 30,000 workstations.
On December 2016, security experts observed a new wave of attacks leveraging on the Shamoon malware. The malware experts from Palo Alto Networks and Symantec both reported an attack on a single Saudi company.
The new variant of Shamoon, so-called Shamoon 2, can rewrite the MBR on affected computers with an image of a three-year-old Syrian boy named Alan Kurdi that lay dead on a Turkish beach.
“Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice,” reported Symantec.
In January, researchers at Palo Alto Networks discovered a new strain of the Shamoon 2 malware that was targeting virtualization products.
The researchers at IBM’s X-Force Incident Response and Intelligence Services (IRIS) believe Shamoon malware is pivot element in the information warfare between Saudi Arabia and Iran.
The malware experts have identified servers used to deliver Shamoon, they have broken onto the server used by the attackers and gathered more information to study the threat and its attack chain.
“This research led them to believe that the actor using Shamoon in recent attacks relied heavily on weaponized documents built to leverage PowerShell to establish their initial network foothold and subsequent operations:” IBM reports.
The attackers launched a spear-phishing campaign against the potential targets, they used to impersonate a trusted person, for example, the Saudi Arabia’s Ministry of Commerce and Investment or the Egyptian software company IT Worx.
The messages come with a Word document marked as a resume, health insurance paperwork, or password policy guidelines, anyway something of interest for the potential victim.
The documents include a malicious macro that starts the attack. When the victim executes the macro it launches two Powershell scripts.
“Based on observations associated with the malicious document, we observed subsequent shell sessions probably associated with Metasploit’s Meterpreter that enabled deployment of additional tools and malware preceding deployment of three Shamoon-related files: ntertmgr32.exe, ntertmgr64.exe and vdsk911.sys,” continues the report.
The researchers identified two web domains used to host malicious executables and launch the attacks.
This information is precious for system administrators that could check any connection to these domains and block it.
The experts discovered that attackers once infected the machine use them for reconnaissance, gathering information on the network and stealing sensitive information. Once completed this phase the attackers deploy the Shamoon payload.
Saudi Arabia is warning local organizations about the Shamoon malware, experts believe that the threat actor behind these operations will continue its activity temporarily disappearing and changing tactic.
(Security Affairs – shamoon, cyber weapon)