Shamoon 2: Back On the Prowl

Shamoon 2: Back On the Prowl

fevereiro 8, 2017 | Adeline Zhang

Authors: Stephen Gates, Chief Research Intelligence Analyst & Cody Mercer, Senior Intelligence Threat Researcher

Overview

From reports in late January 2017, the Shamoon malware is back. Shamoon wipes the disks of computers infected with the malware. Apparently a new Shamoon variant prompted Saudi Arabia telecoms authority to issue a warning on Monday, January 23, 2017 for all organizations to be on the alert for a new variant called Shamoon 2.  That same day, Saudi state-run Al Ekhbariya TV reported that 15 government entities and private organizations had been hit with Shamoon 2.

The Shamoon 2 malware uses what is called the “Disttrack” payload.  This payload is designed to spread the malware to other computers on the same subnet/network.  It does this by logging in using previously stolen, but legitimate domain account credentials, allowing it to copying itself to the local system.  Once this is achieved, the malware schedules a task to execute the payload at a pre-planned time. Shamoon wipes data and commandeers the computer’s boot record, which prevents the computer from booting up properly, making the computer unusable.

Threat Actor Objectives

It is too early to point fingers at possible nation-state attackers this go around, but back in 2012, Iran denied being responsible for the Shamoon attacks against Saudi Arabian interests even though some experts hinted that it might be true. According to Garamone (2012), U.S. Defense Secretary Leon Panetta said, “All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date.” Iran has not officially commented on the latest Shamoon 2 outbreak.

In this version of Shamoon, it was not configured with a command and control (C2) server for the malware to communicate with.  Much of today’s malware is bundled with a way to communicate outbound to a command and control infrastructure; right through border firewalls.  Malware performs this function to exfiltrate data, allow for remote access, or exchange keys for encryption, etc.  In this case, the malware was primarily designed to do one thing – cripple the infected computers by making them completely unusable – targeted destruction.

Conditions for Exploitation

 In this case, there were several account credentials hardcoded within the Disttrack payload; said to appear to be a mixture of individual user accounts and administrator accounts.  To gain this type of information, organizational data had to be compromised (stolen) before the Shamoon 2 attack.  This is often done through phishing employees, exploiting a vulnerability in an in internal computer (allowing back door access), or an insider threat.  In other words, a breach of confidentiality (user accounts) occurred before the malware did its damage.  This appears to be pre-arranged, targeted malware, focused on a single victim, or set of victims.

Threat Variants

Shamoon

W32.Disttrack

 Activities Attracting the Threat

In this case, this was an extremely targeted piece of malware intent on making computers unusable. The networks that were affected by this malware suggests that their defenses were previously breached. The malware appears to be specially designed for a single victim or group of victims.

Outcomes if Threat is Successful

In this case, the outcome could not only cause damage to infected computers, but also potentially cause a loss of view and/or a loss of control of potentially dangerous industrial control systems; since the attack was targeting critical infrastructure in Saudi Arabia.

Per Gambrell (2017), “A report Monday (January 23, 2017) by Saudi state-run television included comments suggesting that 15 government agencies and private institutions had been hit by the Shamoon virus, including the Saudi Labor Ministry. The ministry said it was working with the Interior Ministry to contain the virus.  Sadara, a joint venture between the Saudi Arabian Oil Co. and Michigan-based Dow Chemical Co., shut down its computer network Monday over a disruption.”

Indicators of Compromise, Falcone (2017)

Hashes

010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb (64-bit Disttrack)

efd2f4c3fe4e9f2c9ac680a9c670cca378cef6b8776f2362ed278317bfb1fca8 (Communication)

113525c6bea55fa2a2c6cf406184092d743f9d099535923a12cdd9b9192009c4 (Wiper)

5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a (vdsk911.sys)

Filenames

ntertmgr32.exe

ntertmgr64.exe

vdsk911.sys

dcT21x400i.pnf

vsfnp7_6.pnf

caiaw00e.exe

sbuvideo.exe

caiaw00i.exe

olvume.exe

usinwb2.exe

briaw005.exe

fpwwlwf.exe

epiaw003.exe

briaw002.exe

olvsnap.exe

dmwaudio.exe

briaw006.exe

miWApRpl.exe

caiaw00b.exe

lxiaw003.exe

pdwmtphw.exe

caiaw00a.exe

sdwprint.exe

caiaw00d.exe

kyiaw002.exe

sdwscdrv.exe

briaw00a.exe

saiaw002.exe

_mvscdsc.exe

hdvmp32.exe

_s3wcap32.exe

hpiaw001.exe

lxiaw004.exe

cniaw001.exe

lxiaw006.exe

caiaw00f.exe

newtvsc.exe

Service Names

NtertSrv

vdsk911

Defenses Against the Threat

  1. Ensure that only essential services necessary to server or host functionality are running and that all unnecessary ports are either blocked or disabled until proper patches are applied.
  1. Always maintain firewall capabilities with patch updates for servers that are public facing and accessible via ports 21, 443, 80, and 110. Servers hosting certain services should have only necessary ports open to permit for defined functionality.
  1. Shutdown all ports and services within the firewall settings and only open and permit for ports and services within the ingress/egress points which are critical to the functionality of the application or the system.
  1. Establish strict password policy adherence to include requirements such as 30-60 day password change, uppercase letters, 2-lowercase letters, 2-special characters, and 14-character minimum. Also, prevention of dictionary passwords is strongly recommended.
  1. Only permit and create administrative access accounts to those that need it. Account permissions should be designated and assigned at the lowest level of need and upgraded on a need-to basis depending on the requirements.
  1. Configure anti-virus and SIEMS within a computer infrastructure to monitor and block email attachments from outside sources or unknown parties. Scanning of attachments should occur in the event that execution or deployment of attachment is absolutely necessary.
  1. Develop a strong Incident Response team that has the tools and proper procedures in place that shall be utilized when a compromised asset or event has occurred. This includes segregation of compromised assets from the network infrastructure for containment and forensics purposes.
  1. Regular vulnerability and scanning efforts should be conducted on a weekly or daily basis. This identifies vulnerable systems that need attention or should be patched as per the current policies and procedures set in place by the IT/Operations Department.

References

Falcone, R. (2017). Second wave of shamoon 2 attacks identified. AP. Retrieved from: http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/

Gambrell, J. (2017). Saudi Arabia warns destructive computer virus has returned.  Retrieved from: http://bigstory.ap.org/article/888029171f0e4a67bdbae98cbd5bf814/saudi-arabia-warns-destructive-computer-virus-has-returned

Garamone, J. (2012). Panetta spells out DOD roles in cyberdefense. U.S. Department of Defense.   Retrieved from:  http://archive.defense.gov/news/newsarticle.aspx?id=118187