Connect with us

Hi, what are you looking for?


Cloud Security

Shamoon 2 Variant Targets Virtualization Products

A second variant of the Shamoon 2 malware discovered by researchers at Palo Alto Networks has been set up to target virtualization products, likely in an effort to increase the impact of the attack and make recovery more difficult for targeted organizations.

A second variant of the Shamoon 2 malware discovered by researchers at Palo Alto Networks has been set up to target virtualization products, likely in an effort to increase the impact of the attack and make recovery more difficult for targeted organizations.

Shamoon, aka Disttrack, is a disk-wiping malware that became widely known in 2012, when it damaged 35,000 computers belonging to Saudi Arabian petroleum and natural gas company Saudi Aramco. A newer version of the threat, dubbed Shamoon 2, was recently used to target various organizations in the Persian Gulf, including Saudi Arabia’s General Authority of Civil Aviation (GACA), which has downplayed the impact of the attack.

Palo Alto Networks has come across two variants of Shamoon 2. The first variant, detailed shortly after the new attacks came to light, was configured to automatically start wiping infected systems in the evening of November 17, 2016, just as the work week ended in Saudi Arabia.

The second variant discovered by the security firm had been configured to start wiping infected systems at 1:30 AM (Saudi Arabia time) on November 29, when the majority of the targeted organization’s employees were likely at home.

The payload delivered in this second wave was similar to the first one, but experts did find some differences. Same as in the first attacks, Shamoon spread throughout the local network using legitimate domain account credentials, including ones belonging to users and administrators. Since many of these passwords were complex, researchers believe the threat actor may have obtained the information as a result of a previous attack.

Palo Alto Networks also highlighted that the second Shamoon 2 variant included credentials for virtualization products from Huawei, specifically virtual desktop infrastructure (VDI) products such as FusionCloud.

These credentials can be found in the vendor’s official documentation, which suggests that the attackers either knew that the organization had been using these credentials based on information collected in a previous attack, or they were simply hoping that the defaults had not been changed.

Advertisement. Scroll to continue reading.

“VDI solutions can provide some protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems. Also, since FusionCloud systems run a Linux operating system, which would not be susceptible to wiping by the Windows-only Disttrack malware, this could be seen as a reasonable countermeasure against attacks like Shamoon,” Palo Alto Networks’ Robert Falcone wrote in a blog post.

“However, if the attacker was able to log into the VDI management interfaces using the account credentials they could manually carry out destructive activities against the VDI deployment, as well as any snapshot,” Falcone added.

Related Reading: KillDisk Malware Targets Linux Machines

Related Reading: Iranian Group Delivers Malware via Fake Oxford University Sites

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...