A new sample of Shamoon 3 was uploaded on December 23 to the VirusTotal platform from France, it is signed with a Baidu certificate.
A new sample of the dreaded Shamoon wiper was uploaded on December 23 to the VirusTotal platform from France. This sample attempt to disguise itself as a system optimization tool developed by Chinese technology company Baidu.
The new variant is signed with a digital certificate from Baidu that was issued on March 25, 2015 and that expired on March 26, 2016.
AThis sample was packed using the commercial packing tool Enigma version 4.
Researchers from Anomali Labs have analyzed the latest variant of the wiper and discovered that it uses an image of a burning US Dollar as part of its destructive attack and includes the text “WE WILL TAKE REVENGE ON THE BLOOD AND TEARS OF OUR CHILDREN.”
In the attempt to deceive the victims, attackers used the internal file name “Baidu PC Faster” and the “Baidu WiFi Hotspot Setup” in the description of the file.
“The newest Shamoon sample was uploaded from France on December 23, 2018 and utilizes the commercial packing tool Enigma version 4 as a means of obfuscation. As observed in previous Shamoon samples the internal file name invokes a known PC tool, likely as a lure to allay initial user suspicion.” reads the analysis published by Anomali Labs.
“In this case the malicious internal file name is “Baidu PC Faster” and uses the description “Baidu WiFi Hotspot Setup”. A closer inspection of the file resources utilized by the sample reveals similarities with Shamoon V2 malware. Specifically, the resource “GRANT” is included which indicates that this sample was like compiled based on the second version of the codebase.”
Experts speculate the Shamoon 3 sample was “compiled based on the second version of the codebase,” it has many similarities with Shamoon 2.
Experts at Anomali Labs has not confirmed that the latest sample has been used in attacks in the wild, they pointed out that threat actors could be active during western holidays exists as happened in 2016 with Shamoon 2.
AnomaliLabs experts believe the Shamoon 3 sample was not necessarily created by the original threat actor, instead, it may be a Shamoon 2 variant modified by a threat actor.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.