Shamoon malware returns to again wipe Saudi-owned computers

Iran suspected as likely source of re-vamped nastyware

Thousands of computers in Saudi Arabia's civil aviation agency and other Gulf State organisations have been wiped by the Shamoon malware after it resurfaced some four years after wiping thousands of Saudi Aramco workstations.

Security firms FireEye, CrowdStrike, McAfee, PaloAlto, and Symantec reported on the advanced sabotage malware which United States intelligence officials say is Iran's handiwork.

Shamoon's 2012 attack crushed Saudi Aramco, wiping data on three-quarters of its enterprise computers, replacing emails and documents with a picture of a burning American flag. Iran's oil ministry, the Kharg Island terminal which processes 80 percent of the nation's oil exports and is owned by Saudi Aramco, and other rigs all hit trouble.

The 2012 raid was launched on the eve of a religious holiday, assuring that the company's 55,000 employees would be staying home.

The USA's claim that Shamoon is an Iranian product are not convincingly confirmed by technical evidence, as hackers are known to drop hints in the hope of misdirecting investigators.

Shamoon's only variant to appear since those devastating attacks has changed little other than to use the horrific photograph of the body of Alan Kurdi, the three-year old Syrian boy who washed up drowned in Bodrum, Turkey last year.

None of the security companies openly discussed which organisations and agencies Shamoon has targeted in the latest wave of attacks. Sources familiar with the investigation told Bloomberg Saudi Arabia's General Authority of Civil Aviation lost "critical data" in attacks that brought operations to a halt for several days.

FireEye researchers opting to write anonymously say colleagues at high-end forensics firm Mandiant responded to the new attacks against an unnamed organisation in mid November and based in the Gulf states.

"Since then, Mandiant has responded to multiple incidents at other organisations in the region," its advanced malware team says.

Symantec malware analysts say Shamoon's authors have made "significant" preparatory work for the attacks imbuing their malware with stolen internal passwords that likely facilitated its spread.

A prompt thrown by the Wiper malware. Image: Palo Alto.

A prompt thrown by the Wiper malware. Image: Palo Alto.

Palo Alto security experts shore up the findings in their analysis of the wiper module known as Disttrack, finding the adminstrator and user credentials stored within are not within public domain, and are too strong to have been obtained through brute force or dictionary guessing attacks, and as a result are likely to be the fruits of phishing.

In 2012, like now, Shamoon was triggered to wipe data at a pre-set point in time. On 17 November 8:45PM Saudi time the malware activated its disk wiping payload in what researchers say is a likely effort to reduce the chance of discovery because it took place on a Thursday, the end of the Saudi working week.

The malware is still modular; its 32- and 64- bit dropper component creates the NtsSrv Windows service which downloads Disttrack and its Eldos driver that is required for the wiper to access hard disks from user mode.

That latter driver, according to FireEye, is a legitimate tool attackers used under a free trial licence which forced Shamoon writers to set clocks on infected computers to August 2012 in order for the disk-wiping to take place.

A reporter module handles command and control communications including reporting infections and disk erasing success, and downloading new configurations or time to execute, although the respective server appeared inactive.

All security firms have released indicators of compromise for security professionals to use to detect identical Shamoon infections. ®


Biting the hand that feeds IT © 1998–2017