Shamoon 2 Variant Targets Virtualization Products

A second variant of the Shamoon 2 malware discovered by researchers at Palo Alto Networks has been set up to target virtualization products, likely in an effort to increase the impact of the attack and make recovery more difficult for targeted organizations.

Shamoon, aka Disttrack, is a disk-wiping malware that became widely known in 2012, when it damaged 35,000 computers belonging to Saudi Arabian petroleum and natural gas company Saudi Aramco. A newer version of the threat, dubbed Shamoon 2, was recently used to target various organizations in the Persian Gulf, including Saudi Arabia’s General Authority of Civil Aviation (GACA), which has downplayed the impact of the attack.

Palo Alto Networks has come across two variants of Shamoon 2. The first variant, detailed shortly after the new attacks came to light, was configured to automatically start wiping infected systems in the evening of November 17, 2016, just as the work week ended in Saudi Arabia.

The second variant discovered by the security firm had been configured to start wiping infected systems at 1:30 AM (Saudi Arabia time) on November 29, when the majority of the targeted organization’s employees were likely at home.

The payload delivered in this second wave was similar to the first one, but experts did find some differences. Same as in the first attacks, Shamoon spread throughout the local network using legitimate domain account credentials, including ones belonging to users and administrators. Since many of these passwords were complex, researchers believe the threat actor may have obtained the information as a result of a previous attack.

Palo Alto Networks also highlighted that the second Shamoon 2 variant included credentials for virtualization products from Huawei, specifically virtual desktop infrastructure (VDI) products such as FusionCloud.

These credentials can be found in the vendor’s official documentation, which suggests that the attackers either knew that the organization had been using these credentials based on information collected in a previous attack, or they were simply hoping that the defaults had not been changed.

“VDI solutions can provide some protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems. Also, since FusionCloud systems run a Linux operating system, which would not be susceptible to wiping by the Windows-only Disttrack malware, this could be seen as a reasonable countermeasure against attacks like Shamoon,” Palo Alto Networks’ Robert Falcone wrote in a blog post.

“However, if the attacker was able to log into the VDI management interfaces using the account credentials they could manually carry out destructive activities against the VDI deployment, as well as any snapshot,” Falcone added.

Related Reading: KillDisk Malware Targets Linux Machines

Related Reading: Iranian Group Delivers Malware via Fake Oxford University Sites