11:13 AM

Shamoon Malware Might Be Flame Copycat

August attack on Saudi energy company likely work of "anti-tyranny" hacktivist group Cutting Sword of Justice, probably a Flame copycat, say security experts.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Malware known as Shamoon that targeted multiple energy companies and erased the hard drives of infected computers appears to have been designed not by a nation state for the purposes of cyber attacks or espionage, but rather by a band of activists protesting the commercialization of oil reserves in some Arab countries.

That revelation was announced Wednesday by Eugene Kaspersky, chairman and CEO of Kaspersky Lab, who noted that the stop time coded into the malware matched the time mentioned in a Pastebin post by the Cutting Sword of Justice group. "We can confirm that #Shamoon kill-timer is the same (08:08 UTC) as announced in anons statement," tweeted Kaspersky.

According to the group's Pastebin post, "the destruction operations began on Wednesday, Aug 15, 2012 at 11:08 AM (Local time in Saudi Arabia) and will be completed within a few hours." The Pastebin post was uploaded that same day.

According to a blog entry posted by Dmitry Tarakanov, a security researcher at Kaspersky Lab, he found that the Shamoon malware contains a timing feature that checks for the date mentioned in the Pastebin post, thus connecting Cutting Sword of Justice to the Shamoon malware. Shamoon, "Simon" in Arabic, was named after the "string of a folder name within the malware executable," according to Seculert.

[ This now-granddaddy of hacktivist groups believes "knowledge is free". Who Is Anonymous: 10 Key Facts. ]

Here's where the date check comes into play: While the Shamoon malware dropper, or installer, is working through its infection routine, it checks to see whether the hardcoded date--noted above--has arrived or not. If the date has passed, the malware proceeds to the final stage of its infection, which involves destroying data and overwriting the PC's master boot record, thus making the machine unusable. Despite the date-check goal, "it seems that the function to check the date works incorrectly," said Tarakanov, owing to the developer having gotten a simple date-checking coding routine wrong. Still, the malware often ends up proceeding to the final stage of infection anyway.

In its initial analysis of the malware, a team from Kaspserky said that one of the malware's modules was named Wiper, which is another name for the Flame espionage malware that was used to infect PCs in numerous countries including Egypt and Iran. In addition, Shamoon appeared "to be collecting information about 'interesting' files on the infected system," and sharing it with attackers, suggesting that it, too, might have been designed for espionage purposes.

But at the time, Kaspersky noted that any direct link with Flame appeared to be tenuous at best, because Flame employed specific service names and drivers that didn't appear in Shamoon, as well as an entirely different technique for deleting data on infected hard drives "It is more likely that this is a copycat, the work of a script kiddies inspired by the story," according to the Kaspersky analysis. "Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often."

Building on that research, Tarakanov said Wednesday that the coding error was yet more proof that the authors of Flame and Shamoon were different. "This error indirectly confirms our initial conclusion that the Shamoon malware is not the Wiper malware that attacked Iranian systems," he said. "Wiper is presumed to be a cyber-weapon and, if so, it should have been developed by a team of professionals. But experienced programmers would hardly be expected to mess up a date comparison routine."

So, who exactly is Cutting Sword of Justice? The group's Pastebin post said they're "an anti-oppression hacker group that have been fed up of crimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon, Egypt," and singled out the ruling Al Saud regime in Saudi Arabia for corruption, financed by "Muslims (sic) oil resources."

According to the Pastebin post, the group first targeted its malware at Saudi Aramco, which is the state-owned national oil company of Saudi Arabia. "We penetrated a system of Aramco company by using the hacked systems in several countries and then sended (sic) a malicious virus to destroy thirty thousand computers networked in this company," said the hacktivist group.

Cutting Sword of Justice suggested that Shamoon wouldn't be its last malware attack. "We invite all anti-tyranny hacker groups all over the world to join this movement," it said. "We want them to support this movement by designing and performing such operations, if they are against tyranny and oppression."

Don't get tripped up by these common payment card data security mistakes: failing to vet the auditor, skipping the pre-audit assessment, losing track of your data, and seven more. Also in the new, all-digital 10 Ways To Fail A PCI Audit issue of Dark Reading: Test data security before the auditor arrives, Tim Wilson recommends. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.