Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Variant of Shamoon Malware Uploaded to VirusTotal

A new variant of the destructive Shamoon malware was uploaded to VirusTotal this week, but security researchers haven’t linked it to a specific attack yet.

A new variant of the destructive Shamoon malware was uploaded to VirusTotal this week, but security researchers haven’t linked it to a specific attack yet.

Also referred to as DistTrack, the sophisticated malware was initially observed in attacks against Saudi Arabian and other oil companies in 2012, when it destroyed data on over 30,000 systems.

An updated version of the threat emerged in 2016, when it hit various organizations in the Persian Gulf, including Saudi Arabia’s General Authority of Civil Aviation (GACA). One variant of Shamoon 2 was also observed targeting virtualization products.

Unlike other malware used in targeted attacks, which focuses on stealing information, Shamoon erases data on infected computers and attempts to destroy the hard disk and render systems unusable. The data-wiping functionality, however, is triggered upon a hard-coded date.  

The malware can rapidly spread on impacted networks, using Windows Server Message Block (SMB) to copy itself to other systems, similar to other destructive malware such as NotPetya (which used the EternalBlue exploit that was also used by WannaCry).

Shamoon typically uses a set of hard-coded domain credentials specific to the target organization to steal credentials, but a malware variant uploaded to VirusTotal on Monday doesn’t contain the credentials necessary for distribution.

In a report shared with SecurityWeek, security researchers at Chronicle, one of Google’s newest sister companies, say there’s no evidence that the new Shamoon variant is linked to a specific attack. Moreover, they aren’t sure who created the sample or who uploaded it to the online scanner.

Advertisement. Scroll to continue reading.

The sample, however, closely matches historic versions of the malware, although it contains elements that set it apart from the previously observed variants.

The sample has a trigger date of December 7, 2017 23:51 (local time), nearly one year from the date uploaded. However, it is unclear whether the malware was used last year or the actor behind it used an intentional historic trigger date to immediately start wiping data.

The credential list contained in the sample no longer provides enough information for victim attribution, as it happened with previous versions. Furthermore, the spreader module has been neutered and does not contain credentials.

Unlike the Shamoon2/DistTrack variants, the new version contains a much longer filename list used for selecting a dropped executable name. On top of that, the new list does not overlap with previously observed versions of Shamoon, the Chronicle researchers said.

Chronicle noted that the malicious files were uploaded to VirusTotal from Italy. Moreover, the files were discovered at around the time Italian oil services company Saipem, which has assets in the Middle East, announced being hit by a cyberattack.

“It’s still too early to tell, but given Saipem’s position as a trusted 3rd-party supplier to Saudi Aramco, an educated guess would be that the adversary is the same one that attacked Saudi Aramco in the past — which points to the destructive Shamoon attacks of 2012 and 2016, now widely-attributed to Iran,” Phil Neray, VP of Industrial Cybersecurity at CyberX, told SecurityWeek following the Saipem attack.

Related: Shamoon-Linked “StoneDrill” Malware Allows Spying, Destruction

Related: Multiple Groups Cooperated in Shamoon Attacks: Symantec

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Register

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.