Shamoon is still busy infecting computers throughout the world, this time with an updated variant, according to new findings by Symantec.
The new version of the malware – detected by the firm as W32.Disttrack – wipes files by overwriting them with 192KB blocks of randomly generated data as opposed to the previous version, which used a 192KB block filled with a partial image of a burning U.S. flag.
Shamoon is believed by many to have been used in an attack last month on Saudi Aramco, the national oil company of Saudi Arabia. It is also has been linked by some to an attack that forced one of Qatar’s two main LNG (Liquid Natural Gas) production and export companies offline.
“The initial infection vector remains unconfirmed and may vary in different organizations, but once W32.Disttrack is inside a network, it will attempt to spread to every computer within the local area network via network shares,” according to Symantec’s Security Response Team. “While Shamoon may piggyback on existing machine-to-machine credentials, typically Shamoon attackers have gained access to domain credentials and the domain controller itself, allowing them access to all machines on the local domain.”
The malware uses a hardcoded “wiping date” read from the .pnf file it creates on the file system, Symantec said. It will periodically check this date. Once it has passed, the malware will drop and execute the wiper component, which will target a prioritized list of files before moving on to the master boot record and active partition.
Once a target is found, Symantec said it will attempt to open and close the following files to determine that it has access:
[TARGET IP]ADMIN$system32csrss.exe
[TARGET IP]C$WINDOWSsystem32csrss.exe
[TARGET IP]D$WINDOWSsystem32csrss.exe
[TARGET IP]E$WINDOWSsystem32csrss.exe
“If successful, it will then copy itself to the remote system32 directory and attempt to execute itself using psexec.exe,” the response team explained. “If unsuccessful, it will try to load itself as a remote service. Once it has successfully looped through all target machines it will delete itself.”
Last month, Saudi Aramco officials said that 30,000 workstations were impacted by the cyber-attack. However, it was able to clean the systems and restore them to service.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
