Security researchers from Arbor Networks’ Security Engineering and Response Team (ASERT) have conducted a new analysis of the Shamoon 2 malware discovering further details on the tools and techniques used by the threat actor.
The Shamoon 2 malware was first spotted in November 2016, a second variant of the same threat was discovered by researchers at Palo Alto Networks in January and it was able to target virtualization products.
Shamoon, also known as Disttrack, was first discovered in a wave of attacks that targeted companies in Saudi Arabia in 2012. Among the victims, there was the petrol giant Saudi Aramco. The principal capability of Shamoon is a feature that allows it to wipe data from hard drives of the infected systems.
In the attack against Saudi Aramco Shamoon wipe data on over 30,000 computers and rewrite the hard drive MBR (Master Boot Record) with an image of a burning US flag.
The last variant of the Shamoon2 malware infected computers at petrochemical targets and at the Saudi Arabian central bank system.
The analysis has shed light on the control infrastructure and the infection process.
The researchers at Arbor Networks started their analysis from the findings of the study conducted by IBM’s X-Force. The experts at IBM’s X-Force discovered the threat actor used weaponized documents containing a malicious macro that once executed enabled the connection to the C&C server via PowerShell commands.
The analysis of three X-Force malware samples, the researchers were able to locate the malicious domains and IP addresses used by the attackers.
“From the previous samples, we performed a passive DNS lookup on the IPs. We found get.adobe.go-microstf[.]com hosted at 104.218.120[.]128 around the time this campaign was ongoing, November 2016.” reads the analysis from ArborNetworks.
“Researching the domain go-microstf[.]com, hosted at 45.63.10[.]99, revealed yet another iteration of malicious executables. In this case, a URL used to download the PowerShell component shared a naming convention found in the IBM report, http://69.87.223[.]26:8080/eiloShaegae1 and connected to the IP address used by the previous three samples.”
The domain go-microstf[.]com was initially set up to harvest Google Analytics login page in a spoof campaign started in January.
One of the samples shared by IBM indicated the document author was ‘gerry.knight,’ then the experts at ASERT used this information to discover other three additional samples of documents used to distribute malicious macros unrelated to the Shamoon2 campaigns. Those samples matched existing documents used by threat actors behind the Magic Hound campaigns.
Another evidence that links Shammon 2 malware to Iranian hackers was a “sloo.exe” file dumped by the malicious code in a targeted PC’s Temp folder.
“Unlike newer samples, this one created a unique file ‘sloo.exe’. The file was created at C:\Documents and Settings\Admin\Local Settings\Temp\sloo.exe. In addition to this file, the sample also contacted 104.238.184[.]252 for the PowerShell executable.” reads the technical analysis published by Arbor Networks.
(Security Affairs – Shamoon 2 malware, hacking)