Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Shamoon Malware Variant Appears: Symantec

Shamoon is still busy infecting computers throughout the world, this time with an updated variant, according to new findings by Symantec.

The new version of the malware – detected by the firm as W32.Disttrack – wipes files by overwriting them with 192KB blocks of randomly generated data as opposed to the previous version, which used a 192KB block filled with a partial image of a burning U.S. flag.

Shamoon is still busy infecting computers throughout the world, this time with an updated variant, according to new findings by Symantec.

The new version of the malware – detected by the firm as W32.Disttrack – wipes files by overwriting them with 192KB blocks of randomly generated data as opposed to the previous version, which used a 192KB block filled with a partial image of a burning U.S. flag.

Shamoon is believed by many to have been used in an attack last month on Saudi Aramco, the national oil company of Saudi Arabia. It is also has been linked by some to an attack that forced one of Qatar’s two main LNG (Liquid Natural Gas) production and export companies offline.

“The initial infection vector remains unconfirmed and may vary in different organizations, but once W32.Disttrack is inside a network, it will attempt to spread to every computer within the local area network via network shares,” according to Symantec’s Security Response Team. “While Shamoon may piggyback on existing machine-to-machine credentials, typically Shamoon attackers have gained access to domain credentials and the domain controller itself, allowing them access to all machines on the local domain.”

The malware uses a hardcoded “wiping date” read from the .pnf file it creates on the file system, Symantec said. It will periodically check this date. Once it has passed, the malware will drop and execute the wiper component, which will target a prioritized list of files before moving on to the master boot record and active partition.

Once a target is found, Symantec said it will attempt to open and close the following files to determine that it has access:

[TARGET IP]ADMIN$system32csrss.exe

[TARGET IP]C$WINDOWSsystem32csrss.exe

[TARGET IP]D$WINDOWSsystem32csrss.exe

[TARGET IP]E$WINDOWSsystem32csrss.exe

“If successful, it will then copy itself to the remote system32 directory and attempt to execute itself using psexec.exe,” the response team explained. “If unsuccessful, it will try to load itself as a remote service. Once it has successfully looped through all target machines it will delete itself.”

Last month, Saudi Aramco officials said that 30,000 workstations were impacted by the cyber-attack. However, it was able to clean the systems and restore them to service.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.