Not long ago, we have reported a disk-wiping malware dubbed Shamoon. It originally targets physical hard drives.
Now, there is a newly release variant. Originally, it was designed and unleashed on Saudi Arabia’s state-owned oil company back in 2012. Fast forward a few years and it is back with a vengeance. It has the capability to destroy virtual desktops, according to researchers.
This is the second variant found in the wild. It was last discovered late November 2016, when researchers detected the return of disk-wiping malware after 4 years of being silent.
It is not far from the original version. The old one showed a burning American flag, the new one displayed the iconic photo of the body of Alan Kurdi, the three-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece.
The likeness is uncanny with the old release which permanently destroyed data on more than 30,000 workstations belonging to Saudi Aramco. One or more Saudi targets have also been hit but was not named by the researchers.
According to a blog post published Monday night by researchers from Palo Alto Networks, the latest variant has been updated to include legitimate credentials to access virtual systems, which have emerged as a key protection against Shamoon and other types of disk-wiping malware. The actor involved in this attack could use these credentials to manually log into so-called virtual management infrastructure management systems to attack virtual desktop products from Huawei, which can protect against destructive malware through its ability to load snapshots of wiped systems.
“The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack,” the Palo Alto Networks researchers wrote. “If true, this is a major development and organizations should consider adding additional safeguards in protecting the credentials related to their VDI deployment.”
Several of the usernames and passwords are included in official documentation as administrator accounts for Huawei’s virtualized desktop products, such as FusionCloud. The researchers still aren’t sure if Shamoon attackers obtained the credentials from an earlier attack on the targeted network or included the default usernames and passwords in an attempt to guess the login credentials to the VDI infrastructure.
The new feature which has been hitting the virtualization machines are targeted to use hard-coded credentials which were specific to the newly tarteted organization. It is alarming that the credentials that were hard-coded meet password complexity and it is theorized that they have obtained it from the previous breach they have done.
Like the previous Shamoon variant, the new one spread throughout a local network by “logging in using legitimate domain account credentials, copying itself to the system and creating a scheduled task that executes the copied payload.”
The updated Shamoon disk-wiping attack was set to run and begin overwriting computer systems on November 29, 2016 at 1:30am.
This is almost identical with the previous variant since they have attempted to maximize their impact during the time wherein the target organization would have fewer personnel and resources available on site to detect the anomalous code running.
Check the screenshot on top of this article. It shows that the operating system on the virtual machine not being able to boot up due to the damage.
This clearly shows that they have evolved to not just target actual physical hardware, but is now potent in damaging virtual machines also.