Shamoon is still busy infecting computers throughout the world, this time with an updated variant, according to new findings by Symantec.
The new version of the malware – detected by the firm as W32.Disttrack – wipes files by overwriting them with 192KB blocks of randomly generated data as opposed to the previous version, which used a 192KB block filled with a partial image of a burning U.S. flag.
Shamoon is believed by many to have been used in an attack last month on Saudi Aramco, the national oil company of Saudi Arabia. It is also has been linked by some to an attack that forced one of Qatar’s two main LNG (Liquid Natural Gas) production and export companies offline.
“The initial infection vector remains unconfirmed and may vary in different organizations, but once W32.Disttrack is inside a network, it will attempt to spread to every computer within the local area network via network shares,” according to Symantec’s Security Response Team. “While Shamoon may piggyback on existing machine-to-machine credentials, typically Shamoon attackers have gained access to domain credentials and the domain controller itself, allowing them access to all machines on the local domain.”
The malware uses a hardcoded “wiping date” read from the .pnf file it creates on the file system, Symantec said. It will periodically check this date. Once it has passed, the malware will drop and execute the wiper component, which will target a prioritized list of files before moving on to the master boot record and active partition.
Once a target is found, Symantec said it will attempt to open and close the following files to determine that it has access:
[TARGET IP]ADMIN$system32csrss.exe
[TARGET IP]C$WINDOWSsystem32csrss.exe
[TARGET IP]D$WINDOWSsystem32csrss.exe
[TARGET IP]E$WINDOWSsystem32csrss.exe
“If successful, it will then copy itself to the remote system32 directory and attempt to execute itself using psexec.exe,” the response team explained. “If unsuccessful, it will try to load itself as a remote service. Once it has successfully looped through all target machines it will delete itself.”
Last month, Saudi Aramco officials said that 30,000 workstations were impacted by the cyber-attack. However, it was able to clean the systems and restore them to service.