Raymond Carney

Recent resurgence in Shamoon

Blog Post created by Raymond Carney Employee on Feb 7, 2017

Based upon a recent resurgence in related attacks, the FirstWatch team is once again monitoring Shamoon activity.

 

Shamoon is the name given to a collection of malware agents that destructively impacts systems, and which was targeted specifically against the Saudi Arabian energy sector beginning in 2012. At that time, the Shamoon attack was widely considered to be the most destructive to be experienced by the business sector to date[1]; with 35,000 impacted systems each either partially or completely wiped, and placing 10% of the worlds oil supply at risk, it was an unprecedented attack. For this reason, Shamoon was covered extensively by both the media and research communities, including analysis by FirstWatch. On the morning of the attack, responsibility for the attack was claimed in a pastebin post[2] by the hacktivist group identifying itself as The Cutting Sword of Justice. Subsequent analysis by several State Intelligence Agencies, as well as the InfoSec threat research community arrived at a  general consensus that the attack was in fact a state-sponsored attack, and that the hacktivist front was merely a cover.

 

Recently, Shamoon has returned after 4 years of inactivity; in November of 2016, Shamoon resurfaced in a targeted attack against the Saudi Arabian General Authority of Civil Aviation, with the disk wiper component having been configured to detonate at a time when staff would have gone home for the weekend, ensuring maximum destructive impact[3] Later that month, a renewed attack using updated 64-bit variants occurred. Finally, in January of 2017 a third wave of attacks against multiple targets in both the public and private sectors was observed.

 

Here’s a summary of what we know about this resurgent wave of attacks:

 

  • New variant first used in targeted attack against a single Saudi organization, the Saudi Arabia’s General Authority of Civil Aviation (GACA) (December) [4]
  • Recent reports claim that as many as 11 Saudi orgs may have been targeted; Mandiant reported to be conducting response ops at several affected orgs [5]
  • Indications that Shamoon 2 may be aligned with Greenbug, and leveraging the Ismdoor RAT [6]
  • Infection vector is spearfishing; one potential subject may be “FINAL REMINDER!! TOP URGENT” [7] 
  • Email contains an archive (.rar) which includes  PDF and CHM attachments which result in download/installation of Ismdoor RAT
  • Following install of Ismdoor, attack  leverages mimikatz and powercat to move laterally, extend impact
  • Updated components still leverage a timing function designed to activate the wiper component at a preconfigured date and time
  • Some components are identical to those leveraged in the 2012 attacks; the commercial EldoS RawDisk driver uses the same temporary license that expired in August of 2012, and simply manipulates the system clock in order to enable the RawDisk component
  • Objective is delivery and execution of the Disttrack payload; Disttrack is highly destructive, and designed to damage as many systems as possible
  • Samples are configured with invalid address for C2 server (either 1.1.1.1 or missing); Attacks have been coordinated to coincide with the end of the working week in Saudi Arabia in order to increase footprint over the weekend
  • Once established, malware attempts to spread  to ADMIN$, C$\Windows, D$\Windows, and E$\Windows shares on target systems using current privileges
  • If unsuccessful, hardcoded credentials will be leveraged (* See Below)
  • Prevalence of similarities in attack heuristics and TTPs suggest the same nation-state actor as 2012 attacks

 

Shamoon 2 now includes capabilities that allow it to target and impact virtualization products; VDI solutions such as Huawei’s FusionCloud may be specific targets [8]

  - Important to note, as virtualization solutions have been leveraged as a mitigating capability against both destructive and ransom-based attacks;

  - Many virtualization solutions run atop Linux, and thus are not directly affected by the Windows-only malware components; however, there are indication from recent attacks that attackers have been able to log in to management interfaces using compromised credentials and manually affect destructive actions agains the virtualized infrastructure

 

- Leverages stolen/harvested credentials to propagate and affect action on objectives [8]

  - “16 sets of user and administrator account credentials hardcoded into the malware”

  - “several of the usernames and passwords are found within official documentation as administrator accounts for Huawei’s virtualized desktop infrastructure (VDI) products, such as FusionCloud”

 

- No significant C2 communication identified for the core/legacy Shamoon components

  * Note that  the Greenbug Ismdoor RAT does have C2 check-in and beacon components; FirstWatch has published additional analysis of the Ismdoor trojan component of these attacks at https://community.rsa.com/community/products/netwitness/blog/2017/02/03/detecting-lsmdoor-variants-using-rsa-netwitness, and will continue to investigate.

    

  Additionally, detection for these capabilities was released in the Emerging Threats ETPRO IDS rulesets on 1/25/2017 as follows:

    - 2824617 - ETPRO TROJAN Greenbug Ismdoor Checkin (trojan.rules)

    - 2824618 - ETPRO TROJAN Greenbug Ismdoor CnC Beacon (trojan.rules)

RSA NetWitness for Logs customers who are leveraging Snort or Suricata IDS sensors as a part of their detection suite may leverage these signatures for additional detection options.

 

IOCs

 

Domains :

winappupdater.com

update.winupdater.com

 

User Agent:

WinHttpClient

 

Query Strings:

Query contains "?commandId=CmdResult="

Query contains “//Home/GetFile?commandId=“

Query contains “//Home/SaveFile?commandId=CmdResult=“

Query contains “//Home/SaveFile?commandId=“

 

File Hashes:

 

Disttrack:

9b53a6a1718cec676aa5d6b66d397575467a5f98aaa94d03f07b071d66df1ee6

56bbd62d4cc7361b4fae0643152f90c22c599b3ef4f8a7fa55fd6b5a1555de4c

c8d0e0a93b883f1931a5af8ac4b5282218e23f84f0fa87c48ae74a63c5fe9e18

ed4f2b3db9a79535228af253959a0749b93291ad8b1058c7a41644b73035931b

aa6c7c2ad6d0d961196edaba7b5bb7a930d9cb850aa69abee02c9c0479f97e86

a4368ae01230511bcf2d114d395db6dff56aeb33ee3a73621185c1c4215903de

17e8c94822cbb4fe2a1a903016e6786ee0576a98c20128fbdf21edeeede73b58

6bccb9f7c5e81696d4409228cf69ada444c7d9e9d134d136c86edb95892a803f

332484e0f0e5d2c4f45a9d840b2946d247b0aa03697e1a1196f04a330a37fede

8683639ff5cc4db9955c61c28922637d10bb9cdaa20ad260292f8e90de198205

c3fb4127616e7d3cab8bcef60a8890374a95c171daf502343b5d1909645c7634

610de21a37aad19266970b212ec8043468584061c368c0a727e7804bce964ac9

91511b9b050c9e4d8c5ce028254e1966c652c682e165aa01c938d6f193835279

b9fe972bfa58352d5297a4f2f9bbdc4818126b584d1b0f4610827b5cf7731741

4d972a35d0a9f7dbbff99a1b319cd0afff587210c9477f93d9ff0e4164194a45

c1895040f30b3feedd724fcb7e27e118fa637e3aa420980d0efb2d069c389925

5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a

d77952b5600b103b37a64630b50046da77411ded5c1599c0b5380ffb57452e1b

4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6

660a4bbdad75a8bad8d37162de7cf769dff92043a22576d133b7b047252a138a

1f6038ef51ccafaefa5491e4bc2dfe04ff61a0b8f30f644bfe6a3176a7f0f0d2

f2bb8d5729a5080707de95dcd4e12bc164e432c1d72d8a762391ba8951a91cf7

b8f8421ebfd9050d33406a0befc4e415efbaec094abd1366bbd837f1e3207ab6

bf4a80a379803c765ef5163ee7422a30d8f35820e38690f11a27fa605dd20ffa

c37142437a30e7b15ca78b3ff832aaa64b7443b02b92caf70dcb5b19c25e2225

4547c6a2b00ae84f9dd9ff9661d4543bf1dc633d60d98badbc96a1f83eff6284

6a70a9a9aad38ccdb25cd87749319a925278d33bc9ba277095c67b2c10b82278

7a26e8e3d63c101a839a26abd007ba842838a29f569fc3efa82baa50774d75d6

0936e32abd03f1bf678cce7203bb3017113d290d2f78e3d8f69af6a5141ebdfe

 

EldoS RawDisk:

6e9a5681ed0e2683407e4bfcd05553207fa94a301cfc341de810b71be56bb700

448ad1bc06ea26f4709159f72ed70ca199ff2176182619afa03435d38cd53237

47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34

394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b

7709da093dd9722e80c7c552a0935876b8d17ccf9ecc4784cffb1c1bc38dd9c0

d9b26d4ce4227be02842900e7a5c9bd6ca509fd79aae78f2cefc81c76e65f032

8cccb478de2c92b548f9976799f1b4da1bd8d6f1c821e7b0479b914939560310

5902a246ea00defd6371126b352bc3e13432cee18fef427f2ee40a6e0ba995eb

7b589d45825c096d42bdf341193d3fd8fd9a0bd612a6ebd7466c26a753304df9

d56dbe26887a4bef9b2c8f0d05f4502b80083e62ba3c7299c02e01b9eefeb2e4

311457074e651bdb62301c210cd8232c5e7250b7c1a1837366c71d8400d5c91f

788aca28addbdf2588b160a9471f7421e402f4c6b74dd303a7997be83c9c8768

cd3d50629f0ed6b0ffeddd98b8cde57a6d00ec4b7f930f12ae7c0a980a9e9a00

7c7ff63898d59522bed1e4f0f7bd43a92a3167d66593628e040e36f90bfb2e5d

7076c1d5c8a56820d87681754880013771fcd743a8e8bae8509e1dc682f82a5b

c57a54fc2ec5e2e676652ad90bba1a571d003e81f1844137b5ebf730c8026971

25a3497d69604baf4be4d80b6824c06f1b7120144f98eeb0a13d57d6f72eb8e9

b30b4b73be304b773e04d8b2a46d1a1d43b4b3ec6c8c847b8ddc007dcc40d6e4

01e860972e621c1bd6c990d1817ebc0309dd9298f0e0819cc14d2ffcaa1820e7

 

Wiper:

5a2f540018ca7c012a5d674bd929a0f38bf458043d4eeade1e2cdef94aab5eb8

8829c244fbe049e0910571a16828cad2fb68e4ba7bfcf2f21d169484a676213b

66fdb7e7d868346e730113ccb9977ca840c4c337434b5fe517f7b1a858fd8317

128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd

c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a

052f0eb5986e92afc5460eafec293f805851cf2a98bdd2d2aed97eec6c7946a9

 

Communications component:

61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842

b1c061138ba0cf34ba1dfb84e8ca89336d2a530808b42c363a69abfd6db8bf2a

7dad0b3b3b7dd72490d3f56f0a0b1403844bb05ce2499ef98a28684fbccc07b4

 

Greenbug Ismdoor RAT:

308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f

44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49

7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c

82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9

 

The RSA FirstWatch team is continuing to monitor and analyze these attacks and the associated malware, and will publish or communicate details as appropriate.

 

 

[1] http://www.reuters.com/article/us-usa-cyber-pentagon-shimoon-idUSBRE89B04Y20121012

[2] http://pastebin.com/HqAgaQRj

[3] http://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever

[4] http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/

[5] http://saudigazette.com.sa/saudi-arabia/shamoon-2-0-targets-11-organizations-several-sectors/

[6] https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon

[7] https://www.helpnetsecurity.com/2017/01/26/shamoon-infections/

[8] https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/second-wave-shamoon-2-disttrack-can-now-wipe-organizations-vdi-snapshots/

Outcomes