Our analysis this month has pointed to Shamoon emerging in the Middle East. We have recently seen a number of similarities that we had highlighted in our earlier blogs (on mcafee.com). The campaign continues to target organizations in the Middle East from a variety of verticals. Reports suggest that a further 15 disk-wiping Shamoon incidents have occurred in public and private sectors.
The code for the current revision is almost identical to the original version: Changes include the addition of a victim’s credentials to spread and execute the wiper in a large part of the environment. In the following screenshot, we can see that the old encoded resource names PKCS12, PKCS7, and X509 are still present in the new variants but not used.
A question that many of us in the industry have asked ourselves is How were the attackers able to gain the credentials from so many victims in the Middle East? Let’s approach this from the attacker’s view and follow the Cyber Kill Chain steps.
An attack group prepares a plan and identifies the victims it wants to hit to create an impact or make a statement. The group gathers email addresses and other open-source intelligence as the first step to preparing for the campaign. They register domains, code backdoors, and prepare for the reconnaissance phase. When all is tested, the initial attack starts with spear phishing:
The victims receive emails, for example, one like the preceding business proposal. The email also contains a tempting attachment. When opening the attachment, some victims saw this:
Any requirement to activate macros before seeing content should set off alarm bells. Analyzing the document, we received confirmation of our suspicions:
Decoding the obfuscated macro code results in a PowerShell script that proceeds to download a file, a Trojan capable of gathering system information and downloading other tools.
In other cases, we found a backdoor using a PowerShell script to gather information from the system and write to a temporary file. A code snippet:
We also found a script that creates an instance of Mimikatz, a tool known to dump user credentials from a computer:
- CreateMimi1.Bat or CreateMimi2.Bat
When all the data are gathered, the information is uploaded. To open a command channel, the attackers used, for example, a PowerShell script that launches Powercat, a TCP/IP “Swiss army knife” that works with netcat. A code example:
The attackers invariably sort the credentials of the victims to gain an indication of the IP range and possible scale of the network. Depending on the goal of the attack, a selection of victims can be made to serve the cause. From the original Shamoon code, the current attackers have made several changes:
- Added victims’ credentials
- Replaced picture from flag to boy
- Changed resource language to Yemeni Arabic
- Tested samples
Delivery/Exploitation/Installation/Control servers/Action on objectives
In these phases, the actors needed only one or two hosts in the victim’s network as a beachhead to upload the wipers and scripts. Because the attackers already had valid credentials, no exploitation was needed.
The batch file copies ntertmgr32.exe (one of many filenames of the Shamoon 2 variant) and starts it. Once the hardcoded date was reached, systems were wiped. Objective accomplished.
Our analysis of the execution of this attack tells a story about the actors capability and skills. Their attack precision is very good; they know whom and what to attack, in this case to disrupt and leave a statement. Their focus is on Windows and they use well-known practices to gather information and credentials, with no zero days. From a coding perspective, many security industry colleagues have already commented on the sloppy coding practices. From an operations security perspective—how well are the actors able to hide details that could lead to them?—we noticed that quite a few details are available: email addresses, program database paths, and Yemeni Arabic as the language identifier of almost all the samples, although we discovered one sample with a different language identifier. Was that on purpose, or a slip by the actor because this was a large campaign?
- // domain registered on 2016-11-25 by [email protected]
- hash 146a112cb01cd4b8e06d36304f6bdf7b and bf4b07c7b4a4504c4192bd68476d63b5 were connecting to this site
File locations and filenames:
Collection of system information:
- “%localappdata%\Microsoft\Windows\Tmp765643.txt” //where Tmp[6digits].txt is the syntax//
Filenames and Locations:
Interesting strings in code samples:
- F:\Projects\Bot Fresh\Release\Bot Fresh.pdb
Last week we provided some initial analysis on recent attacks targeting organizations in the Middle East. The attack has hallmarks of the Shamoon campaign of 2012. We now have additional data related to the components used within the new campaign, which has three distinct components: dropper, wiper, and wiper driver.
The language of these three components—PKCS12 (wiper), PKCS7, and X509—is lang:9217, which translates to Yemeni Arabic. We also see both 32- and 64-bit versions.
The malware spreads over the network using the IPC$ share and embedded administrator credentials from the targeted organization, so we can assume that the attackers already had a beachhead to gather these credentials from one of the samples. The password was also very strong, another indicator that the attackers might have had network access to compromise passwords and accounts. Indeed, our Foundstone team, which has conducted significant work on both campaigns, has confirmed individuals (not related to the attacks) who have shown off their technical prowess by publicizing the compromised credentials on public forums.
The malware tries to disable the user account control, verifies if it is connected with admin credentials, and drops the payload in the System32 folder. Another run option is to use the AT command and schedule a job to execute the payload.
The wiper component was hardcoded to start Thursday, November 17 at 20:45, after the beginning of Saudi Arabia’s Friday holiday, when most employees have left and after the evening prayer time.
The wiper component verifies the date and extracts the wiper component to System32 using the same random names as generated by the Shamoon code from 2012. The wiper has three options for deletion: F, E, and R. The F option wipes the data with the JPEG of the Syrian refugee boy Alan Kurdi lying drowned on the beach. The E and R option wipe using random values. Shamoon 1 used a JPEG of a burning US flag.
Also during the mass deletion, the wiper uses the Eldos RawDisk driver to change the system time to August 2012, probably to not allow the expiration of the trial period of the temporary license for the software.
We have found many similarities between the 2012 attack and this recent campaign. There are a few alterations to the code and political themes, but overall we see a similar framework and process.
In cooperation with McAfee Labs we can confirm that all related samples of this attack are detected by the signature DistTrack![partial-hash].
The driver used for the wiper is legitimate software. Thus this threat carries the on-screen warning Possibly Unwanted Program. We will continue our analysis, particularly as our Foundstone team identifies additional indicators.
A new variant of Shamoon, the malware that wiped hard drives at Saudi Aramco and other energy companies in 2012, has struck multiple organizations in Saudi Arabia in a new campaign that researchers call a "carefully planned operation." The new variant, which is almost identical to the version used in the 2012 attacks, has replaced the message it previously displayed—which included an image of a burning American flag—with the photo of the body of Alan Kurdi, the 3-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece.
Bloomberg reports that digital forensics by Saudi officials indicated that the attacks were launched from Iran. Several Saudi government agencies were among the organizations attacked.
New versions of Shamoon, also known as Disttrack, have been detected by multiple information security companies, including McAfee, Symantec, Palo Alto Networks, and FireEye. It isn't yet clear how the malware's "dropper" has gotten into the networks it has attacked. But once on a victim's Windows system, it determines whether to install a 32-bit or 64-bit version of the malware. According to a report from Symantec, the latest Shamoon attack was configured to automatically start wiping the disk drives of computers it had infected at 8:45am local time on November 17.