Shamoon Disk Wiper Malware returns with a new target. Also known as Disttrack, which is a part of a malware family variant that wipes data from hard drives and has been focusing its aim at companies in Saudi Arabia.
It was first seen in the wild last 2012. But now, they have focused its attacks on the infrastructure of Aramco which is a Saudi Oil Company.
It primary objective is to wipe out data on over 30,000 computers and re-write the MBR (Master Boot Record) with an image of a burning US flag.
Can you believe that it has a theme for the attack which is a Syrian refugee crisis theme.
After 2 years of hybernation, the Shamoon malware has targeted Aramco and its MBR shows an image that depicted a three-year-old Syrian Bot named Alan Kurdi that lay dead on a Turkish beach.
Similar to the 2012 configuration, it has been pre-configured to include the login credentials for computers and designed to wipe as much data as possible.
This means that the hard coded logins came from a previous attack that had breached and compromised their system, which in turn had collected the data in preparation for the attack.
It was well orchestrated with impeccable timing. Meaning to say, it was not a random attack. It has wiped computers on November 17 at 8:45 local time. This is when the weekend starts in Saudi Arabia which starts Thursday to Saturday.
Same thing happened last 2012 which allowed the malware infection to spread over the weekend before it was discovered the next business day.
Additionally, the 2016 attack was also timed to take place on Laylat al Qadr (Night of Decree), an important Muslim holiday, just as an extra measure from the attackers to make sure as many employees were at work as possible.
Malware almost identical with the 2012 version
The malware itself was almost identical to the one used in the 2012 attack. Shamoon contained three main components: a dropper, communications, and wiper components.
The dropper was an executable that extracted the additional components from embedded resources and launched them into execution. Support was included for both 32-bit and 64-bit architectures.
The communications component assured the ability to talk to a remote, online command and control server. This server would allow attackers to deploy new components or change the date at which the attack takes place.
In the 2016 attack, this component was neutered, being configured with the IP 18.104.22.168, that didn’t or never hosted any type of Shamoon C&C server infrastructure. This what seems to be a random IP means the attackers had no intentions of changing the deployment date or aborting the attack.
Malware used the same expired license from the 2012 attack
The third component is the actual hard drive wiper, which is powered by the EldoS RawDisk driver, a utility that grants the malware access to the hard drive without needing to interact with the Windows OS.
Another clue that the 2012 group carried out the 2016 attack is the fact that the EldoS RawDisk driver altered the infected host’s system time to August 2012, a date before the deadline when the driver’s temporary license would expire, which was the same license used in the 2012 attack.
This and all the previous clues point to the fact that the same group was behind this latest attack, which looks to be an attempt to destroy possible forensics data following a cyber-espionage campaign.