The Shamoon Disk Wiper Malware, also going by the name of Disttrack, has returned with new attacks after a four-year break once again oriented in attacking companies in Saudi Arabia.
First to discover Shamoon were the Websense (now Forcepoint), Seculert, and Kaspersky security firms back in 2012, when the malware was deployed on a Saudi oil company. Now, the aim of the disk wiper hasn’t changed and it is still targeting Saudi Arabian enterprises. In the attack from 2012, Shamoon wiped the data on more than 30,000 computers and rewrote their hard drives MBR (Master Boot Record) with an image of the US flag on fire.
Now, according to Symantec and Palo Alto Networks firms, Shamoon is back but this time it is going after only one Saudi company. They say that the malware is rewriting the MBR on the targeted computers with the well-known image of the three-year-old Syrian refugee boy, who is lying dead on a Turkish beach. Researchers also explain that Shamoon had been pre-configured to include the computers` login credentials so it could delete as much data as possible and spread faster. This means that the attackers behind the malware had collected these credential beforehand, breaching the company one more time before the actual attack.
The timing of both attacks was not picked randomly. Shamoon`s latest strike from this year was planned to happen on an important Muslim holiday which is also exactly when the weekend starts in Saudi Arabia – Thursday, November 17th at 20:45 local time. This way the attackers made sure the malware had the whole weekend to spread before being discovered. The 2012 attack was also similarly planned.
The malware version used in this year`s attack was almost the same as the one in the attack from 2012. Then, Shamoon had three main components: communications, a dropper, and a wiper. The communications are used by the attackers to contact a remote online Command & Control server. This allowed them to deploy new component or to change the time at which the attack occurs. However, in the 2016 attack, this component was neutered, being configured with the IP 188.8.131.52. This IP is random and it has never hosted a Shamoon C&C, meaning the attackers had no intention to change the date of the deployment or to abort the attack whatsoever.
The dropper was used to extract the additional elements from embedded resources and execute them. The last component was the actual hard drive wiper. It is powered by the EldoS RawDisk driver which allow it to access the hard drives without needing a Windows interaction. Also, the EldoS RawDisk driver attacked on August 2012 exactly before the driver`s license expiration date. In the 2016 attack, Shamoon developers used the same expired license from their previous attack. All of these clues only confirms that the people behind this year`s attack are the same ones who deployed Shamoon on the Saudi oil company four years ago.