Author Topic: Shamoon Disk-Wiping Malware Re-Emerges with a Third Variant  (Read 185 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35126
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Shamoon Disk-Wiping Malware Re-Emerges with a Third Variant
« on: December 14, 2018, 11:46:07 AM »
A new sample of the Shamoon data-wiping malware has been discovered in the wild, after a period of silence that lasted for about two years.

Shamoon was first seen in attacks against Saudi Aramco oil provider in 2012 when it erased data on more than 35,000 computer systems belonging to the company.

Four years later, it was spotted in attacks against private organizations in the same region that perpetuated until January 2017.

Sample comes with an old trigger date

In a report sent to BleepingComputer, the research team from Chronicle (cybersecurity subsidiary of Google's parent company, Alphabet Inc.) says that the new strain was uploaded to VirusTotal on December 10, from Italy. It consisted in the dropper and two modules, Wiper and Network, Brandon Levene, head of applied intelligence at Chronicle told us. They handle the disk wiping activity and the communication with the command and control (C2) server.

Levene says that the author(s) of the new Shamoon dropped some resources that were removed some resources that were used to replace the destroyed files, a capability that still exists, though. The alternative to this is to overwrite to data and the hard disk MBR with random data.

The variant analyzed by Chronicle has the trigger date and local time set to December 7, 2017, 23:51. The researchers note that this is about one year before it was uploaded to the VirusTotal platform.

"Because of this, it is not known if this sample was used last year or if the actors used an intentional historic trigger date to immediately start destructive operations," the experts note.

Another element analyzed by the researchers was the credentials list typically found in Shamoon samples to help it spread through the network via authenticated SMB sessions. This information comes from the reconnaissance stage of the attack when the threat actor collects access logins.

In this case, no credentials were found, although the capability to use them is still present, Levene says. This also means that there are no clues to tie the malware to a particular target.

Furthermore, the Chronicle says that it has no evidence to connect the sample to a specific attack and cannot determine the author of the strain or who fed it to VirusTotal.

Italian company blames Shamoon for a recent cyber attack

However, news emerged this week of a cyber attack against Italian oil services provider Saipem. The incident occurred on Monday and impacted over 300 of the company's servers located in the Middle East, India, Scotland (Aberdeen), and Italy.

It is possible that one of the samples was uploaded by Saipem while trying to determine the nature of the malware that affected its business.

In a statement on Wednesday, Saipem says that the threat actor used a variant of Shamoon for the attack that "led to the cancellation of data and infrastructures, typical effects of malware."

The company announced that it is working on restoring its activity in a gradual and controlled manner by using its backup infrastructures.

Update [12/13/18] Chronicle responded to our request for comments and offered additional details about the new strain of Shamoon. We have updated the article and the headline to include the new information.

source