A new version of the Shamoon data-wiping malware has emerged, marking the third time the destructive virus has been seen in the wild – and researchers believe a new campaign may be imminent.
First spotted in 2012 in the attack on Saudi Aramco, Shamoon has the ability to destroy files on infected machines and overwrite the master boot (MBR) to cripple infected PCs. This wiper capability proved to be extraordinarily damaging to the Saudi oil giant, knocking 30,000 of the company’s workstations offline for almost a month. Shamoon then went underground for about four years before re-emerging in 2016 as Shamoon2. Like the original Shamoon malware, the updated version also destroyed computer hard drives by wiping the MBR and the data. It also targeted petrochemical targets and the Saudi Arabian central bank system before disappearing again.
Now, according to Chronicle security researchers, two new samples were uploaded into VirusTotal on Monday, Dec. 10, 2018, originating in Italy. Curiously, they have a hard-coded trigger date that’s set for a year ago, on Dec. 7, 2017 – but, Chronicle hasn’t spotted the malware yet in any campaigns (although an attack this week on Saipem in Italy could be Shamoon’s work — more on that in a moment).
“The reappearance of this malware is very interesting,” said Brandon Levene, head of applied intelligence, speaking to Threatpost. “The trigger date can lend itself to multiple potential lines of thought.”
For instance, the older date could indicate that the malware itself is old but only recently discovered – a scenario Levene said is unlikely given that the malware would have still executed if used after the trigger date is passed. Another possibility is that the malware was pre-built and is now ready to deploy in advance of a campaign. “The actors could have used an intentional historic trigger date to immediately start destructive operations,” Levene told us.
Or, equally concerning, “actors had access to an environment of interest and wanted to guarantee execution of their destructive payload, so they set a trigger date far in the past,” Levene said.
He added that his team has not able to determine who created the sample or who uploaded it to VirusTotal. However, “seeing Shamoon in the wild again is highly unusual given its highly targeted nature,” Levene said. “This leads me to assume that a new target was selected.”
Key Malware Differences
Upon analysis, these “Shamoon3” samples closely match historic versions of the malware. However, aside from the trigger date, a notable difference from previous variants the nature of the credential list contained in the samples.
Similar to other destructive malware, such as NotPetya, Shamoon spreads using authenticated Windows Server Message Block (SMB) sessions, copying itself to other systems. However, instead of using external tools or something like the EternalBlue exploit to infiltrate networks, Shamoon typically uses a set of hard-coded domain credentials specific to the target organization.
This time, the analyzed versions do not contain those credentials, which would be required for its trademark, automated, worm-like spreading.
“Unlike prior versions, credentials contained in this version do not contain enough information for victim attribution,” Chronicle said in an analysis shared with Threatpost. “Further findings indicate that the spreader module is actually neutered, it does not contain credentials.”
Also, in 2012 and 2016, the malware contained an image (a burning American flag, or a Syrian refugee child, respectively) which were used to replace the destroyed files. The version analyzed by Chronicle still has the capability to do this, but the image’s normal location in this instance is empty.
“Instead, the malware simply encrypts the files and overwrites the MBR with random data,” Levene said. He added, “What surprises me the most is that this variant seems to have been scaled back from the previously observed versions.”
Additionally, a key difference from the earlier code is a change in the filename list used for selecting a dropped executable name. The new list is longer and doesn’t have any overlap with Shamoon or Shamoon2, Chronicle found.
Overall, “I’d assign this as a very high threat level. Use of overtly destructive malware in a targeted fashion is cause for concern from vulnerable organizations – even without the embedded credentials,” Levene told us. “The Middle East is a hotbed of non-financially motivated activity, so it would be prudent to continue to monitor important resources and industries for additional reports of sabotage and compromise.”
Saipem Italian Connection?
While Levene said that Chronicle hasn’t spotted an attack, Italian oil-drilling company Saipem said Monday that more than 300 of the company’s servers in India, Italy, the Middle East and Scotland were hit with a malware that they suspected to be Shamoon.
The attack “led to the cancellation of data and infrastructures, typical effects of malware.” It said in a statement that it’s slowly restoring its infrastructure “in a controlled manner.” However, it didn’t offer further details.
Given the provenance of the VirusTotal samples, it’s likely that Saipem uploaded the samples during its investigation — although this hasn’t been confirmed.