Over the last week, several reports have found that the Shamoon malware has re-emerged, including attacks against oil and gas companies in Italy and the Middle East, following a two-year absence.
Additionally, security researchers have found that this version of Shamoon includes a destructive data wiper that can delete files from infected systems before the malware fully removes all the data from the Master Boot Record.
The first attack appears to have targeted Saipem, an Italian oil company, which announced the incident on December 10. Since then, the company has continued to recover, finding about 300 PCs infected with the malware.
Later, researchers at Symantec issued a December 14 report that found additional Shamoon attacks that targeted organizations in Saudi Arabia and the United Arab Emirates.
In the case of the incident involving Saipem, researchers with Palo Alto Network's Unit42 found that the attack involved Disttrack malware -- another name for Shamoon -- and that the sample they examined contained similarities between this one and others that happened in 2016, which are sometimes called Shamoon 2.
It's through this examination that researchers found the new wiping capabilities.
"Unlike past Shamoon attacks, this particular Disttrack wiper would not overwrite files with an image. Instead it would overwrite the MBR [Master Boot Record], partitions, and files on the system with randomly generated data," according to the Unit42 analysis.
In this case, Disttrack acts as a dropper in order to infect a PC and install the data wiper onto the system. However, researchers also found that the malware also helps spread the attack throughout the network by using stolen usernames and passwords to log into other computers.
Researchers also noted that the malware sample contained a specific wipe date of "12/7/2017," which would appear to be a mistake by the group. However, it can still be effective: "This older date is still effective as the Disttrack dropper will install and run the wiper module as long as the system date is after the wipe date," according to the report.
In its analysis, Symantec researchers found that the group behind the attack usually gathers these credentials during a reconnaissance phase before the main attack. This list is then copied first to a file called OCLC.exe and then sent to another tool by the name or Spreader.exe. This sequence then copies all the malware to as many computers as possible.
Symantec has its own name for this part of the attack called the Filerase Trojan.
During the recent attack, Symantec noted that between the malware's ability to spread through the network, combined with the wipe capabilities, this particular attack is difficult to recover from once it starts.
"While a computer infected by Shamoon could be unusable, files on the hard disk may be forensically recoverable. However, if the files are first wiped by the Filerase malware, recovery becomes impossible," according to the company's analysis.
In the case of this most recent attack, Symantec noted that one company targeted by Shamoon had also been a victim of another piece of malware called Stonedrill, which is used by an Advanced Persistent Threat group (APT) called Elfin or APT33. It's possible the two are related but researchers could not draw a direct link as of yet.
From a historical perspective, researchers first noted Shamoon in 2012, when it attacked the network of Saudi Aramco -- the largest oil producer in Saudi Arabia -- infecting about 30,000 machines and stopping work at the company for some time.
- Kaspersky: Spear-Phishing Attacks Target 400 Industrial Companies
- Talos: VPNFilter Malware Still Stands at the Ready
- Oil & Gas Industry Face Significant Cybersecurity Threat – Study
- OilRig's Use of RGDoor Shows Sophistication of Nation-State Attacks