Last week security experts at Chronicle announced the discovery of a new variant of the infamous Shamoon malware, the sample was uploaded to Virus Total from Italy at around the time Italian oil services company Saipem announced to have suffered a cyber attack.
Over 300 of the servers at Saipem had been infected by Shamoon.
Now security experts have spotted a different sample of the new Shamoon variant, a circumstance that could suggest the attack was greater than initially thought,
The second sample was uploaded to Virus total on December 13, from the Netherlands.
Malware researchers at
The trigger date is set in the past, but to December 12, 2017, five days later than the one set in the variant identified by
The trigger date could be retrieved by the C2, but the sample analyzed by
Anomali Labs did not include any reference to command and control servers.
“A defining characteristic of this new Shamoon version is that it shares nearly 80 percent similarity with earlier versions of Shamoon and may use a historic trigger
“Although not confirmed to be the work of Iranian APT groups, the malware’s codebase, targeted sector, and targeted geography have all been observed in historic attacks which were later attributed to adversaries from the region.”
The newly identified sample is UPX packed in the attempt to modify the signature of the malware to make it harder the detection.
The new Shamoon variant also uses “VMWare Workstation” in its file description in an attempt to utilize a legitimate software product as a lure to victims.
“Anomali Labs has not correlated this sample to an active cyber-attack at this time, however, analysts believe that it may represent additional targets as part of the Shamoon V3 campaign.” concludes Anomali Labs.
Further details, including IoCs are reported in the analysis
(SecurityAffairs –Shamoon v3, hacking)