In December malware researchers from Palo Alto Networks and Symantec discovered a new variant of Shamoon, so-called Shamoon 2, that was used at least in a targeted attack against a single Saudi organization, the Saudi Arabia’s General Authority of Civil Aviation (GACA).
“Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice,” reported Symantec.
“Last week, Unit 42 came across new Disttrack samples that appear to have been used in an updated attack campaign. The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the initial Shamoon attacks. It appears the purpose of the new Disttrack samples were solely focused on destruction, as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016/11/17 20:45. In another similarity to Shamoon, this is the end of the work week in Saudi Arabia (their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon attacks took place on Lailat al Qadr, the holiest night of the year for Muslims; another time the attackers could be reasonably certain employees would not be at work.” reads an analysis published by Palo Alto Networks.
Shamoon, also known as Disttrack, was first spotted in a wave of attacks that targeted companies in Saudi Arabia in 2012. Among the victims, there was the petrol giant Saudi Aramco. The principal capability of Shamoon is a feature that allows it to wipe data from hard drives of the infected systems.
In the attack against Saudi Aramco Shamoon wipe data on over 30,000 computers and rewrite the hard drive MBR (Master Boot Record) with an image of a burning US flag.
The second variant of Shamoon 2 was spotted by Palo Alto Networks that had been configured to start wiping infected systems at 1:30 AM (Saudi Arabia time) on November 29, when the employees of the targeted organization’ were likely at home.
The first variant of Shamoon 2 analyzed by the experts presented a default configuration that allowed the execution of the disk-wiping component at 8:45pm local time on Thursday, November 17. Considering that in Saudi Arabia the working week runs from Sunday to Thursday, the attacker tried to exploit the pause in order to maximize the effects of the attack.
Both payloads were similar, but the analysis of the experts revealed some differences.
Threat actors used stolen credentials to deliver the malware on the target systems, according to researchers at Symantec they may have been provided by another cyber espionage group called Greenbug.
Greenbug hackers used the Ismdoor remote access Trojan (RAT) and other tools in attacks against organizations in the Middle East.
The Ismdoor establish a backdoor on the target machine and leverages PowerShell for command and control (C&C).
The group targeted organizations in multiple industries, including aviation, investment, government and education organizations in several countries (i.e. Saudi Arabia, Iran, Iraq, Bahrain, Qatar, Kuwait and Turkey, and a Saudi company in Australia).
“Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors. The group uses a custom information-stealing remote access Trojan (RAT) known as Trojan.Ismdoor as well as a selection of hacking tools to steal sensitive credentials from compromised organizations.” states the Symanted report on Greenbug.
“Although there is no definitive link between Greenbug and Shamoon, the group compromised at least one administrator computer within a Shamoon-targeted organization’s network prior to W32.Disttrack.B being deployed on November 17, 2016.”
The Greenbug launched spear phishing attacks against its victims in order to trick users into downloading the malicious code onto their systems. The email messages are fake business proposals that delivered a RAR archive that stored a clean PDF and a compiled HTML help file (.chm) that contained the Ismdoor Trojan.
The Greenbug hackers exploited the alternate data streams (ADS) to avoid detection.
“Windows Alternate Data Streams (ADS) is a feature of NTFS which is used to store details about a file. The information stored in ADS is hidden to the user, which makes it an attractive feature for attackers. ADS is sometimes abused by attackers to hide malware or other hacking tools on a compromised computer.” continues the analysis.
Researchers at Symantec speculate that Greenbug may have supplied credentials for the Shamoon 2 attacks. The experts detecting the Ismdoor malware on an administrator computer belonging to one of the organizations targeted with Shamoon 2.
It is important to highlight that there is no technical evidence that Greenbug and Shamoon 2 attackers are linked, but it is interesting to note that Greenbug seems to have vanished one day before the November 17 attacks.
“The presence of Greenbug within an organization prior to the destructive attack involving W32.Disttrack.B provides only a tentative connection to Shamoon. Greenbug’s choice of targets and the fact that Ismdoor and associated tools downloaded by the threat appear to have gone quiet a day prior to the November 17, 2016 Shamoon attack is, however, suspicious.” reads the report.
(Security Affairs – Shamoon 2, Greenbug)