Authors: Stephen Gates, Chief Research Intelligence Analyst & Cody Mercer, Senior Intelligence Threat Researcher
Overview
From reports in late January 2017, the Shamoon malware is back. Shamoon wipes the disks of computers infected with the malware. Apparently a new Shamoon variant prompted Saudi Arabia telecoms authority to issue a warning on Monday, January 23, 2017 for all organizations to be on the alert for a new variant called Shamoon 2. That same day, Saudi state-run Al Ekhbariya TV reported that 15 government entities and private organizations had been hit with Shamoon 2.
The Shamoon 2 malware uses what is called the “Disttrack” payload. This payload is designed to spread the malware to other computers on the same subnet/network. It does this by logging in using previously stolen, but legitimate domain account credentials, allowing it to copying itself to the local system. Once this is achieved, the malware schedules a task to execute the payload at a pre-planned time. Shamoon wipes data and commandeers the computer’s boot record, which prevents the computer from booting up properly, making the computer unusable.
Threat Actor Objectives
It is too early to point fingers at possible nation-state attackers this go around, but back in 2012, Iran denied being responsible for the Shamoon attacks against Saudi Arabian interests even though some experts hinted that it might be true. According to Garamone (2012), U.S. Defense Secretary Leon Panetta said, “All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date.” Iran has not officially commented on the latest Shamoon 2 outbreak.
In this version of Shamoon, it was not configured with a command and control (C2) server for the malware to communicate with. Much of today’s malware is bundled with a way to communicate outbound to a command and control infrastructure; right through border firewalls. Malware performs this function to exfiltrate data, allow for remote access, or exchange keys for encryption, etc. In this case, the malware was primarily designed to do one thing – cripple the infected computers by making them completely unusable – targeted destruction.
Conditions for Exploitation
In this case, there were several account credentials hardcoded within the Disttrack payload; said to appear to be a mixture of individual user accounts and administrator accounts. To gain this type of information, organizational data had to be compromised (stolen) before the Shamoon 2 attack. This is often done through phishing employees, exploiting a vulnerability in an in internal computer (allowing back door access), or an insider threat. In other words, a breach of confidentiality (user accounts) occurred before the malware did its damage. This appears to be pre-arranged, targeted malware, focused on a single victim, or set of victims.
Threat Variants
Shamoon
W32.Disttrack
Activities Attracting the Threat
In this case, this was an extremely targeted piece of malware intent on making computers unusable. The networks that were affected by this malware suggests that their defenses were previously breached. The malware appears to be specially designed for a single victim or group of victims.
Outcomes if Threat is Successful
In this case, the outcome could not only cause damage to infected computers, but also potentially cause a loss of view and/or a loss of control of potentially dangerous industrial control systems; since the attack was targeting critical infrastructure in Saudi Arabia.
Per Gambrell (2017), “A report Monday (January 23, 2017) by Saudi state-run television included comments suggesting that 15 government agencies and private institutions had been hit by the Shamoon virus, including the Saudi Labor Ministry. The ministry said it was working with the Interior Ministry to contain the virus. Sadara, a joint venture between the Saudi Arabian Oil Co. and Michigan-based Dow Chemical Co., shut down its computer network Monday over a disruption.”
Indicators of Compromise, Falcone (2017)
Hashes
010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb (64-bit Disttrack)
efd2f4c3fe4e9f2c9ac680a9c670cca378cef6b8776f2362ed278317bfb1fca8 (Communication)
113525c6bea55fa2a2c6cf406184092d743f9d099535923a12cdd9b9192009c4 (Wiper)
5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a (vdsk911.sys)
Filenames
ntertmgr32.exe
ntertmgr64.exe
vdsk911.sys
dcT21x400i.pnf
vsfnp7_6.pnf
caiaw00e.exe
sbuvideo.exe
caiaw00i.exe
olvume.exe
usinwb2.exe
briaw005.exe
fpwwlwf.exe
epiaw003.exe
briaw002.exe
olvsnap.exe
dmwaudio.exe
briaw006.exe
miWApRpl.exe
caiaw00b.exe
lxiaw003.exe
pdwmtphw.exe
caiaw00a.exe
sdwprint.exe
caiaw00d.exe
kyiaw002.exe
sdwscdrv.exe
briaw00a.exe
saiaw002.exe
_mvscdsc.exe
hdvmp32.exe
_s3wcap32.exe
hpiaw001.exe
lxiaw004.exe
cniaw001.exe
lxiaw006.exe
caiaw00f.exe
newtvsc.exe
Service Names
NtertSrv
vdsk911
Defenses Against the Threat
- Ensure that only essential services necessary to server or host functionality are running and that all unnecessary ports are either blocked or disabled until proper patches are applied.
- Always maintain firewall capabilities with patch updates for servers that are public facing and accessible via ports 21, 443, 80, and 110. Servers hosting certain services should have only necessary ports open to permit for defined functionality.
- Shutdown all ports and services within the firewall settings and only open and permit for ports and services within the ingress/egress points which are critical to the functionality of the application or the system.
- Establish strict password policy adherence to include requirements such as 30-60 day password change, uppercase letters, 2-lowercase letters, 2-special characters, and 14-character minimum. Also, prevention of dictionary passwords is strongly recommended.
- Only permit and create administrative access accounts to those that need it. Account permissions should be designated and assigned at the lowest level of need and upgraded on a need-to basis depending on the requirements.
- Configure anti-virus and SIEMS within a computer infrastructure to monitor and block email attachments from outside sources or unknown parties. Scanning of attachments should occur in the event that execution or deployment of attachment is absolutely necessary.
- Develop a strong Incident Response team that has the tools and proper procedures in place that shall be utilized when a compromised asset or event has occurred. This includes segregation of compromised assets from the network infrastructure for containment and forensics purposes.
- Regular vulnerability and scanning efforts should be conducted on a weekly or daily basis. This identifies vulnerable systems that need attention or should be patched as per the current policies and procedures set in place by the IT/Operations Department.
References
Falcone, R. (2017). Second wave of shamoon 2 attacks identified. AP. Retrieved from: http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/
Gambrell, J. (2017). Saudi Arabia warns destructive computer virus has returned. Retrieved from: http://bigstory.ap.org/article/888029171f0e4a67bdbae98cbd5bf814/saudi-arabia-warns-destructive-computer-virus-has-returned
Garamone, J. (2012). Panetta spells out DOD roles in cyberdefense. U.S. Department of Defense. Retrieved from: http://archive.defense.gov/news/newsarticle.aspx?id=118187
