New Variant of Shamoon Malware Uploaded to VirusTotal

A new variant of the destructive Shamoon malware was uploaded to VirusTotal this week, but security researchers haven’t linked it to a specific attack yet.

Also referred to as DistTrack, the sophisticated malware was initially observed in attacks against Saudi Arabian and other oil companies in 2012, when it destroyed data on over 30,000 systems.

An updated version of the threat emerged in 2016, when it hit various organizations in the Persian Gulf, including Saudi Arabia’s General Authority of Civil Aviation (GACA). One variant of Shamoon 2 was also observed targeting virtualization products.

Unlike other malware used in targeted attacks, which focuses on stealing information, Shamoon erases data on infected computers and attempts to destroy the hard disk and render systems unusable. The data-wiping functionality, however, is triggered upon a hard-coded date.  

The malware can rapidly spread on impacted networks, using Windows Server Message Block (SMB) to copy itself to other systems, similar to other destructive malware such as NotPetya (which used the EternalBlue exploit that was also used by WannaCry).

Shamoon typically uses a set of hard-coded domain credentials specific to the target organization to steal credentials, but a malware variant uploaded to VirusTotal on Monday doesn’t contain the credentials necessary for distribution.

In a report shared with SecurityWeek, security researchers at Chronicle, one of Google’s newest sister companies, say there’s no evidence that the new Shamoon variant is linked to a specific attack. Moreover, they aren’t sure who created the sample or who uploaded it to the online scanner.

The sample, however, closely matches historic versions of the malware, although it contains elements that set it apart from the previously observed variants.

The sample has a trigger date of December 7, 2017 23:51 (local time), nearly one year from the date uploaded. However, it is unclear whether the malware was used last year or the actor behind it used an intentional historic trigger date to immediately start wiping data.

The credential list contained in the sample no longer provides enough information for victim attribution, as it happened with previous versions. Furthermore, the spreader module has been neutered and does not contain credentials.

Unlike the Shamoon2/DistTrack variants, the new version contains a much longer filename list used for selecting a dropped executable name. On top of that, the new list does not overlap with previously observed versions of Shamoon, the Chronicle researchers said.

Chronicle noted that the malicious files were uploaded to VirusTotal from Italy. Moreover, the files were discovered at around the time Italian oil services company Saipem, which has assets in the Middle East, announced being hit by a cyberattack.

“It’s still too early to tell, but given Saipem’s position as a trusted 3rd-party supplier to Saudi Aramco, an educated guess would be that the adversary is the same one that attacked Saudi Aramco in the past — which points to the destructive Shamoon attacks of 2012 and 2016, now widely-attributed to Iran,” Phil Neray, VP of Industrial Cybersecurity at CyberX, told SecurityWeek following the Saipem attack.

Related: Shamoon-Linked “StoneDrill” Malware Allows Spying, Destruction

Related: Multiple Groups Cooperated in Shamoon Attacks: Symantec