Short Bytes: The security researchers at Palo Alto Networks have detected two versions of a malware similar to Shamoon which attacked 35,000 Saudi Aramco machines in 2011. The latest version, known as Second Shamoon 2, was spotted in November 2016. It is known to cause cyber espionage and damage virtual machines working on the target network.The infamous Shamoon malware (aka Disttrack) known for its cyber espionage skills has returned. And it is now more advanced than before, with its capabilities of taking down virtual machines.
Shamoon has the ability to spread on the local network. It curates a list of files from specific locations on a computer and sends it to the attacker before deleting them. It can overwrite the MBR making the machine inaccessible.
Shamoon first appeared in 2012 when it was used to attack an oil company Saudi Aramco based in Saudi Arabia, affecting 35,000 machines. It took almost a week’s time to get those machines back online. It was in November 2016, when a new instance of the Shamoon malware, dubbed ‘Shamoon 2’, came to light. It was used to attack another Saudi Arabia-based firm and was set to wipe the systems on November 17.
A similar payload called ‘Second Shamoon 2’ was spotted again in November by security researchers at Palo Alto Networks, and it was also targetted in Saudi Arabia. The researchers note that the second Shamoon 2 malware contained hardcoded account credentials related to the victim organization. A behavior not observed in the previous Shamoon 2 case.
The fact that these user credentials comply with Windows password complexity requirements makes the researchers assume the existence of an unknown attack, similar to November 17, used to harvest the usernames and passwords for the latest attack.
Also, the updated Shamoon includes the administrator account user credentials – a part of the official documentation – for Huawei’s desktop virtualization products, like FusionCloud, used to create a Virtual Desktop Infrastructure (VDI). These virtual systems are known to provide protection against malware like Shamoon by facilitating Virtual Desktop Interface Snapshots – backups made before the machine is wiped.
The credentials might’ve been used by the target organization to set up their Huawei VDI systems. The attackers probably included them to increase the attack intensity by disabling the virtual machine’s protection. It can’t be said if the attackers initiated a previous attack to obtain the credentials or these were just supplementing an arrow shot in the dark to make password guesses.
Moreover, the researchers are unaware of the medium used to spread the malware which was scheduled to wipe the systems on November 29 at 1:30 am local time in Saudi Arabia. At that time, it hardly possible that staff members were present in the organization, thereby, increasing the time of detection and proceeding for any countermeasures.
To know more about the Second Shamoon 2 attack, you can read the original blog post.
What do you think about Shamoon? Drop your thoughts in the comments.