Security Experts:

Shamoon 3 Wiper Code Includes Verse From Quran

Researchers continue to analyze the recent Shamoon 3 attacks and they have discovered more links to Iran and additional components of the malware.

Several Shamoon 3 samples have been identified recently and they are said to have been used in attacks aimed at organizations in the Middle East and elsewhere. According to cybersecurity firms, the attackers targeted the Middle Eastern assets of Italian oil and gas services company Saipem, along with some organizations in Saudi Arabia and the United Arab Emirates. McAfee reported seeing victims in the oil, gas, telecom, energy and government sectors.

Symantec noted in its initial analysis of the Shamoon 3 attacks that a Saudi Arabian organization hit by the malware had recently also been targeted by an Iran-linked threat group known as APT33 and Elfin. The same entity also had some systems infected with a Shamoon-linked piece of malware tracked as Stonedrill.

In a blog post published on Wednesday, McAfee said it believes that APT33 – or a group impersonating APT33 – is likely behind the Shamoon 3 attacks. This conclusion is based on a comparison between the tools and domains used in Shamoon 3 attacks and the ones detailed by FireEye in its first report describing the activities of APT33.

It’s worth noting that an analysis conducted by Symantec last year concluded that multiple groups had cooperated in previous Shamoon attacks so it’s possible that more than one team was also behind the latest wave of attacks.

Both McAfee and Palo Alto Networks have conducted a detailed analysis of the components used in the latest Shamoon campaign.

Researchers from these companies have identified a loader component, which executes a spreader that helps the attackers deliver the wiper to other systems on the compromised network. The spreader uses information stored in text files to move laterally within the network – the information from the text files was likely collected during reconnaissance activities. Another component is used to remotely execute the wiper on compromised systems.

The wiper itself, which overwrites files with random data, was not seen in previous Shamoon attacks, which involved a wiper tracked as DistTrack. Hidden in a file named SlHost.exe, the Trojan is written in C# and it’s based on an open source Windows tool named SuperDelete, which allows users to delete files and directories with very long paths.

Palo Alto Networks researchers explained that the wiper does not use all the functionality included in SuperDelete. However, the attackers did add some ASCII art representing a verse from the Quran written in Arabic. The verse translates to “Perish the two hands of Abu Lahab ‘father of flames’ (an uncle of prophet peace be upon him) and Perish he!”

Shamoon 3 ASCII art

Interestingly, the ASCII art is never actually displayed to the victim due to how the wiper is programmed, and instead it can only be seen by individuals performing a code analysis of the malware.

“The religiously charged message within the wiper Trojan is interesting, as it acts as a message that may point to the adversary’s motivations,” Palo Alto Networks’ Robert Falcone explained. “We have potentially tied the use of this wiper to the Shamoon 3 incident involving the Disttrack wiper, which in the past has used politically charged images to overwrite files in Shamoon and Shamoon 2 attacks. This also suggests that the adversaries involved in the Shamoon attacks have additional wipers in their toolset to complement the Disttrack Trojan.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.