Based upon a recent resurgence in related attacks, the FirstWatch team is once again monitoring Shamoon activity.
Shamoon is the name given to a collection of malware agents that destructively impacts systems, and which was targeted specifically against the Saudi Arabian energy sector beginning in 2012. At that time, the Shamoon attack was widely considered to be the most destructive to be experienced by the business sector to date; with 35,000 impacted systems each either partially or completely wiped, and placing 10% of the worlds oil supply at risk, it was an unprecedented attack. For this reason, Shamoon was covered extensively by both the media and research communities, including analysis by FirstWatch. On the morning of the attack, responsibility for the attack was claimed in a pastebin post by the hacktivist group identifying itself as The Cutting Sword of Justice. Subsequent analysis by several State Intelligence Agencies, as well as the InfoSec threat research community arrived at a general consensus that the attack was in fact a state-sponsored attack, and that the hacktivist front was merely a cover.
Recently, Shamoon has returned after 4 years of inactivity; in November of 2016, Shamoon resurfaced in a targeted attack against the Saudi Arabian General Authority of Civil Aviation, with the disk wiper component having been configured to detonate at a time when staff would have gone home for the weekend, ensuring maximum destructive impact Later that month, a renewed attack using updated 64-bit variants occurred. Finally, in January of 2017 a third wave of attacks against multiple targets in both the public and private sectors was observed.
Here’s a summary of what we know about this resurgent wave of attacks:
- New variant first used in targeted attack against a single Saudi organization, the Saudi Arabia’s General Authority of Civil Aviation (GACA) (December) 
- Recent reports claim that as many as 11 Saudi orgs may have been targeted; Mandiant reported to be conducting response ops at several affected orgs 
- Indications that Shamoon 2 may be aligned with Greenbug, and leveraging the Ismdoor RAT 
- Infection vector is spearfishing; one potential subject may be “FINAL REMINDER!! TOP URGENT” 
- Email contains an archive (.rar) which includes PDF and CHM attachments which result in download/installation of Ismdoor RAT
- Following install of Ismdoor, attack leverages mimikatz and powercat to move laterally, extend impact
- Updated components still leverage a timing function designed to activate the wiper component at a preconfigured date and time
- Some components are identical to those leveraged in the 2012 attacks; the commercial EldoS RawDisk driver uses the same temporary license that expired in August of 2012, and simply manipulates the system clock in order to enable the RawDisk component
- Objective is delivery and execution of the Disttrack payload; Disttrack is highly destructive, and designed to damage as many systems as possible
- Samples are configured with invalid address for C2 server (either 18.104.22.168 or missing); Attacks have been coordinated to coincide with the end of the working week in Saudi Arabia in order to increase footprint over the weekend
- Once established, malware attempts to spread to ADMIN$, C$\Windows, D$\Windows, and E$\Windows shares on target systems using current privileges
- If unsuccessful, hardcoded credentials will be leveraged (* See Below)
- Prevalence of similarities in attack heuristics and TTPs suggest the same nation-state actor as 2012 attacks
Shamoon 2 now includes capabilities that allow it to target and impact virtualization products; VDI solutions such as Huawei’s FusionCloud may be specific targets 
- Important to note, as virtualization solutions have been leveraged as a mitigating capability against both destructive and ransom-based attacks;
- Many virtualization solutions run atop Linux, and thus are not directly affected by the Windows-only malware components; however, there are indication from recent attacks that attackers have been able to log in to management interfaces using compromised credentials and manually affect destructive actions agains the virtualized infrastructure
- Leverages stolen/harvested credentials to propagate and affect action on objectives 
- “16 sets of user and administrator account credentials hardcoded into the malware”
- “several of the usernames and passwords are found within official documentation as administrator accounts for Huawei’s virtualized desktop infrastructure (VDI) products, such as FusionCloud”
- No significant C2 communication identified for the core/legacy Shamoon components
* Note that the Greenbug Ismdoor RAT does have C2 check-in and beacon components; FirstWatch has published additional analysis of the Ismdoor trojan component of these attacks at https://community.rsa.com/community/products/netwitness/blog/2017/02/03/detecting-lsmdoor-variants-using-rsa-netwitness, and will continue to investigate.
Additionally, detection for these capabilities was released in the Emerging Threats ETPRO IDS rulesets on 1/25/2017 as follows:
- 2824617 - ETPRO TROJAN Greenbug Ismdoor Checkin (trojan.rules)
- 2824618 - ETPRO TROJAN Greenbug Ismdoor CnC Beacon (trojan.rules)
RSA NetWitness for Logs customers who are leveraging Snort or Suricata IDS sensors as a part of their detection suite may leverage these signatures for additional detection options.
Query contains "?commandId=CmdResult="
Query contains “//Home/GetFile?commandId=“
Query contains “//Home/SaveFile?commandId=CmdResult=“
Query contains “//Home/SaveFile?commandId=“
Greenbug Ismdoor RAT:
The RSA FirstWatch team is continuing to monitor and analyze these attacks and the associated malware, and will publish or communicate details as appropriate.