A new Shamoon 3 sample uploaded to VirusTotal from France

A new sample of Shamoon 3 was uploaded on December 23 to the VirusTotal platform from France, it is signed with a Baidu certificate.

A new sample of the dreaded Shamoon wiper was uploaded on December 23 to the VirusTotal platform from France. This sample attempt to disguise itself as a system optimization tool developed by Chinese technology company Baidu.

The new variant is signed with a digital certificate from Baidu that was issued on March 25, 2015 and that expired on March 26, 2016.

AThis sample was packed using the commercial packing tool Enigma version 4.

Researchers from Anomali Labs have analyzed the latest variant of the wiper and discovered that it uses an image of a burning US Dollar as part of its destructive attack and includes the text “WE WILL TAKE REVENGE ON THE BLOOD AND TEARS OF OUR CHILDREN.”

In the attempt to deceive the victims, attackers used the internal file name “Baidu PC Faster” and the “Baidu WiFi Hotspot Setup” in the description of the file.

“The newest Shamoon sample was uploaded from France on December 23, 2018 and utilizes the commercial packing tool Enigma version 4 as a means of obfuscation. As observed in previous Shamoon samples the internal file name invokes a known PC tool, likely as a lure to allay initial user suspicion.” reads the analysis published by Anomali Labs.

“In this case the malicious internal file name is “Baidu PC Faster” and uses the description “Baidu WiFi Hotspot Setup”. A closer inspection of the file resources utilized by the sample reveals similarities with Shamoon V2 malware. Specifically, the resource “GRANT” is included which indicates that this sample was like compiled based on the second version of the codebase.”

Experts speculate the Shamoon 3 sample was “compiled based on the second version of the codebase,” it has many similarities with Shamoon 2.

Experts at Anomali Labs has not confirmed that the latest sample has been used in attacks in the wild, they pointed out that threat actors could be active during western holidays exists as happened in 2016 with Shamoon 2.

Anomali Labs experts believe the Shamoon 3 sample was not necessarily created by the original threat actor, instead, it may be a Shamoon 2 variant modified by a threat actor.

According to the malware researchers at McAfee that analyzed the three Shamoon samples recently discovered, the latest variants may be attributed to the Iranian hacker group tracked as APT33.

Pierluigi Paganini

(SecurityAffairs – Shamoon 3, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]

Share On