Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Shamoon Malware Delivered via Weaponized Documents: IBM

The notorious disk-wiping malware Shamoon used macro-enabled documents and PowerShell scripts to infect targeted systems, according to IBM’s X-Force Incident Response and Intelligence Services (IRIS) team.

The notorious disk-wiping malware Shamoon used macro-enabled documents and PowerShell scripts to infect targeted systems, according to IBM’s X-Force Incident Response and Intelligence Services (IRIS) team.

Shamoon 2 was recently spotted in attacks aimed at Saudi Arabia and other states in the Persian Gulf. The malware, also known as Disttrack, has several variants, including one capable of targeting virtual desktop infrastructure (VDI) products.

An analysis conducted recently by Symantec showed that the attackers behind Shamoon, which many believe are based in Iran, may have been aided by a threat actor dubbed Greenbug. The security firm linked the Greenbug and Shamoon groups after discovering malware from both actors on the same system.

X-Force IRIS researchers have analyzed the recent waves of Shamoon attacks and determined that the initial breach likely took place weeks before the malware was deployed and activated.

It’s worth noting that, in many cases, Shamoon had been programmed to step into action at a specified time and date, typically when the targeted organization’s employees were less likely to notice its actions.

Experts believe the attackers used weaponized Office documents as an entry point. The documents contained a malicious macro which, when executed, initiated command and control (C&C) communications and deployed a remote shell via PowerShell.

The malicious files, which often included resumes and other human resources documents, were sent to targeted users via spear phishing emails. Some of the documents found by IBM referenced an Egypt-based software professional services organization named IT Worx, and Saudi Arabia’s Ministry of Commerce and Investment (MCI).

Once the document is opened and the macro is executed, PowerShell is invoked to provide a communications channel to the compromised device, allowing attackers to remotely execute commands on it.

Advertisement. Scroll to continue reading.

The threat actor can use this access to deploy other tools and malware, and gain further access into the victim’s network. Once critical servers have been identified, the attackers can deploy Shamoon, which erases hard drives and causes systems to become inoperable.

The macro found in the documents executed two PowerShell scripts, including one served from a domain that had hosted a cross-platform remote access tool named Pupy. The RAT and the domain in question were also spotted during the analysis of an Iran-linked campaign dubbed “Magic Hound.”

IBM researchers believe the recent analysis and warnings issued by Saudi Arabia will likely cause the Shamoon attackers to once again disappear, like they did after the 2012 Saudi Aramco operation, and change their tactics for the next wave of attacks.

Related: Macro Malware Comes to macOS

Related: Office Loader Uses Macros to Drop Array of Malware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...