In a fresh analysis of the Shamoon2 malware, researchers from Arbor Networks’ Security Engineering and Response Team (ASERT) say they have unearthed new leads on the tools and techniques used in the most recent wave of attacks.
Shamoon2 surfaced in November, approximately four years after the original Shamoon was used in attacks against Saudi Aramco, a national petroleum and natural gas company based in Saudi Arabia. Like the original Shamoon malware, the updated version also destroys computer hard drives by wiping the master boot record and the data. Shamoon2 also targets petrochemical targets, but also the Saudi Arabian central bank system, according to reports.
However, up until last week, researchers were still searching for basic answers to questions about how Shamoon2 infects its hosts and its backend infrastructure. Neal Dennis, cyber threat intelligence analyst at Arbor Networks, said that thanks to third-party research the ASERT team was able to answer new questions regarding Shamoon2.
“It is our hope that by providing additional indicators, endpoint investigators and network defenders will be able to discover and mitigate more Shamoon2 related compromises,” Dennis wrote in a blog post explaining his research.
Last week IBM’s X-Force reported how Shamoon2 was infecting hosts. In its report, X-Force said document-based malicious macros were used as means of initial infections. Emails sent to targets included a document containing a malicious macro that, when approved to execute, enables command and control communications to the attacker’s server via PowerShell commands.
Next, attackers use that access to deploy additional tools and access further network resources. Attackers then download and deploy the Shamoon2 malware.
Using X-Force’s research as a springboard, Dennis said ASERT was able dig deeper and conduct a first-time analysis of the Shamoon2 backend infrastructure. By analyzing three X-Force malware samples, Dennis said he was able to trace them back to malicious domains, IP addresses, and other previous unknown Shamoon2 malware artifacts.
ASERT said its analysis of the Shamoon2 show connections with Middle Eastern state-sponsored groups such as Magic Hound and PuppyRAT. That may not be a major revelation, considering in 2012 Shamoon malware was also linked to Middle Eastern state-sponsored groups. “Now we can begin to see who is behind Shamoon2 and how its backend infrastructure works,” Dennis said.
Dennis said ASERT researchers were able to piggyback on X-Force’s research and cross-reference the malicious document author name “gerry.knight” and other IP addresses used by Shamoon2’s PowerShell to threat actors Magic Hound and PuppyRAT.
“In this case, a sample from the IBM report indicated the document author was ‘gerry.knight,'” Dennis said. That led ASERT to three additional samples of documents used to distribute malicious macros unrelated to the Shamoon2 campaigns, Dennis said. Those samples matched existing documents used in Magic Hound campaigns.
An additional clue was a “sloo.exe” file dumped by Shamoon2 in a targeted PC’s Temp folder. “The file was created at C:\Documents and Settings\Admin\Local Settings\Temp\sloo.exe. In addition to this file, the sample also contacted 104.238.184[.]252 for the PowerShell executable,” Dennis wrote in a technical description of his research.
He said that separate research by Palo Alto Networks attributed the “sloo.exe” file and also related activities to Magic Hound.
Further analysis on IPs used by Shamoon2’s PowerShell also showed existing credential harvesting campaigns once used one the domain go-microstf[.]com which was originally set up to spoof Google Analytics login page. This spoof campaign, Dennis said, was active as recently as January, the timeframe of the last Shamoon2 attacks.
“We have pulled a lot of related research together here and connected a lot of dots for the first time,” Dennis said. “This additional research will hopefully provide more context into the ongoing Shamoon2 threat.”
