Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Shamoon 2 Used Rudimentary Method for Network Distribution

Palo Alto Networks researchers have continued to analyze the Shamoon 2 attacks and determined that the method used by the malware to spread on the targeted organizations’ networks is rudimentary, but efficient.

Palo Alto Networks researchers have continued to analyze the Shamoon 2 attacks and determined that the method used by the malware to spread on the targeted organizations’ networks is rudimentary, but efficient.

The latest waves of attacks involving the disk-wiping malware Shamoon, aka Disttrack, have been analyzed by several security firms. IBM reported recently that the attackers delivered Shamoon using weaponized documents, and researchers have found connections to several other Iran-linked threat actors, including Charming Kitten (aka Newscaster, NewsBeef), Rocket Kitten, Magic Hound (aka Timberworm, COBALT GYPSY), and Greenbug.

It has been known that the Shamoon 2 attacks involved stolen credentials and that the threat actors had access to the targeted organizations’ networks well before the malware initiated its destructive routines. Symantec reported that the Magic Hound and Greenbug groups may have helped conduct reconnaissance, including stealing credentials and creating persistent backdoors.

In a blog post published on Monday, Palo Alto Networks said it managed to determine exactly how the stolen credentials were used by the attackers.

According to researchers, the hackers first compromised a single system on the network using the Remote Desktop Protocol (RDP) and stolen credentials. This machine, which became their distribution server, stored the attackers’ tools and malware. From this distribution server, the attackers attempted to connect to named systems on the network using compromised credentials and infect them with the Shamoon malware.

From the named systems, the malware identified up to 256 IP addresses on the local network and spread to those devices. Then, from the newly infected systems, the malware attempted to spread to other 256 IP addresses on the local network.

Experts believe the information on named hosts was obtained directly from Active Directory on a domain controller, which also suggests that the attackers used legitimate credentials in their operations.

“This rudimentary, but effective, distribution system can enable Disttrack to propagate to additional systems from a single, initially compromised system in a semi-automated fashion,” researchers said.

Advertisement. Scroll to continue reading.

Palo Alto Networks has also found more evidence linking the Shamoon attacks to the Magic Hound group. According to the security firm, one of the command and control (C&C) servers used by Magic Hound and a server hosting Shamoon files used IP addresses from the same range, namely 45.76.128.x. Another similarity is related to the use of PowerShell and Meterpreter.

Palo Alto Networks agrees with Symantec on the theory that Magic Hound may have conducted the reconnaissance phase of the Shamoon 2 attacks.

Related: Shamoon-Linked “StoneDrill” Malware Allows Spying, Destruction

Related: Ransomware Module Found in Shamoon 2.0

Related: Shamoon 2 Variant Targets Virtualization Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...