Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Shamoon 2 Used Rudimentary Method for Network Distribution

Palo Alto Networks researchers have continued to analyze the Shamoon 2 attacks and determined that the method used by the malware to spread on the targeted organizations’ networks is rudimentary, but efficient.

Palo Alto Networks researchers have continued to analyze the Shamoon 2 attacks and determined that the method used by the malware to spread on the targeted organizations’ networks is rudimentary, but efficient.

The latest waves of attacks involving the disk-wiping malware Shamoon, aka Disttrack, have been analyzed by several security firms. IBM reported recently that the attackers delivered Shamoon using weaponized documents, and researchers have found connections to several other Iran-linked threat actors, including Charming Kitten (aka Newscaster, NewsBeef), Rocket Kitten, Magic Hound (aka Timberworm, COBALT GYPSY), and Greenbug.

It has been known that the Shamoon 2 attacks involved stolen credentials and that the threat actors had access to the targeted organizations’ networks well before the malware initiated its destructive routines. Symantec reported that the Magic Hound and Greenbug groups may have helped conduct reconnaissance, including stealing credentials and creating persistent backdoors.

In a blog post published on Monday, Palo Alto Networks said it managed to determine exactly how the stolen credentials were used by the attackers.

According to researchers, the hackers first compromised a single system on the network using the Remote Desktop Protocol (RDP) and stolen credentials. This machine, which became their distribution server, stored the attackers’ tools and malware. From this distribution server, the attackers attempted to connect to named systems on the network using compromised credentials and infect them with the Shamoon malware.

From the named systems, the malware identified up to 256 IP addresses on the local network and spread to those devices. Then, from the newly infected systems, the malware attempted to spread to other 256 IP addresses on the local network.

Experts believe the information on named hosts was obtained directly from Active Directory on a domain controller, which also suggests that the attackers used legitimate credentials in their operations.

Advertisement. Scroll to continue reading.

“This rudimentary, but effective, distribution system can enable Disttrack to propagate to additional systems from a single, initially compromised system in a semi-automated fashion,” researchers said.

Palo Alto Networks has also found more evidence linking the Shamoon attacks to the Magic Hound group. According to the security firm, one of the command and control (C&C) servers used by Magic Hound and a server hosting Shamoon files used IP addresses from the same range, namely 45.76.128.x. Another similarity is related to the use of PowerShell and Meterpreter.

Palo Alto Networks agrees with Symantec on the theory that Magic Hound may have conducted the reconnaissance phase of the Shamoon 2 attacks.

Related: Shamoon-Linked “StoneDrill” Malware Allows Spying, Destruction

Related: Ransomware Module Found in Shamoon 2.0

Related: Shamoon 2 Variant Targets Virtualization Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...