Researchers on Monday reported progress in piecing together some of the missing pieces of the Shamoon 2 puzzle that have been eluding them when it comes to lateral network movement and execution of the Disttrack malware component used in past campaigns.
Shamoon 2 uses a combination of legitimate tools, such as the open source utility PAExec, and batch scripts to evade detection and spread itself throughout a network, researchers at Palo Alto said, adding there are new links between Shamoon 2 and the Magic Hound campaign.
Shamoon has been blamed for nearly a decade of destructive campaigns against organizations based in Saudi Arabia. Disttrack is the Shamoon malware component and is known for its hallmark destructive behavior, where it spreads through the company’s network and overwrites the Master Boot Record on every computer it finds.
“What’s new here is the actual distribution and spreading mechanism of the Disttrack malware. Nobody has figured out how the adversaries are doing this. What we found, they are using a rudimentary but effective technique for spreading Disttrack and wiping systems,” said Bryan Lee, threat intelligence analyst.
Researchers observed in the latest Shamoon 2 campaigns, that the group behind the attacks leveraged not only user credentials of those it was targeting, but also the local host names and IP address of associated servers and endpoints within a targeted network.
“We have found evidence that the actors use a combination of legitimate tools and batch scripts to deploy the Disttrack payload to hostnames known to the attackers to exist in the targeted network,” wrote Robert Falcone, threat intelligence analyst and Lee, who co-authored a research blog on the findings.
Researchers said they found a Zip archive in January that contains files which the attacker used to infect other systems on the targeted network. “The actor deploys the Zip archive to this distribution server by logging in to the compromised system using Remote Desktop Protocol (RDP) with stolen, legitimate credentials and downloading the Zip from a remote server,” researchers note.
From a single compromised system, attackers are able to distribute Disttrack to other systems on a local network via a list of 256 other system host names and IP addresses that were previously acquired.
“While we do not know exactly how the threat actor initially compromised and gained RDP access to the Disttrack distribution server, we believe the actor downloads a Zip archive contained a number of files to this system,” Lee said.
The set of files saved to the distribution server are executables, batch scripts and text files, including; “exec-template.txt,” “ok.bat” and “pa.exe” to name a few. Interestingly, researchers note, the text files were sequentially numbered between 1 to 400 and contained DNS values for hostnames of systems already on the targeted network. Palo Alto believes the computer and host names were obtained from prior network probing and sourced from the Active Directory on the domain controller of the infected network.
Next, instead of running a batch script – as researchers previously assumed happened – adversaries manually copy the contents of exec-template.txt and pastes these commands directly within command prompt to run them. Now, the “ok.bat” batch script runs on each of the hostnames targeted.
“This batch script is responsible for deploying Disttrack on each of these systems on the network. The script begins by copying two files to the “C:\Windows\temp” folder on the remote system. The two copied files – named “ntertmgr32.exe” and “ntertmgr32.bat” – are the Disttrack payload and a batch script used to install the Disttrack payload on the local system, respectively,” according the research.
Part of the obfuscation of Disttrack is to use PAExec (“pa.exe”) application to run the “ntertmgr32.bat” installation script. “With the exception of meterpreter (a component of Metasploit), the tools and batch scripts used are meant to fly under the radar of IT admin,” Lee said.
While other organizations, such as Arbor Networks and IBM’s X-Force, have also found some connections between Shamoon and Magic Hound, there has been little more than circumstantial connections, Lee said.
“What we have here is, not something completely concrete either, but strong new indicators of a relationship between Shamoon 2 and Magic Hound,” he said.
Links between Magic Hound and Shamoon 2 include sharing the same London-based C2 server and IP range. “The use of this specific IP (by Shamoon) is interesting, as the Magic Hound campaign we previously reported on (February 2017) used a command and control (C2) server at 45.76.128[.]165, which is on the same Class C IP range,” Lee said.
Other similarities include targeting of entities within Saudi Arabia and sharing the same modus operandi of using PowerShell commands and the utility Meterpreter.