Revealed: Web servers used by disk-nuking Shamoon cyberweapon

A detailed analysis of the Shamoon malware – which is playing a huge role in the cyberwar between Saudi Arabia and Iran – has identified servers used to spread the software nasty.

Shamoon surfaced in 2012 when it infected 30,000 workstations in the world’s largest oil production firm, Saudi Aramco, wiped their hard drives, and put the giant into panic mode. Since then the malware has been refined, and attacks have continued on high-value Saudi government and industry targets as late as last month.

Now researchers at IBM’s X-Force Incident Response and Intelligence Services (IRIS) team think they have cracked the propagation techniques used by the malware operators. They may know how they get it onto systems, giving IT managers a good chance of spotting whether they have an infection problem before the data-destroying part of the software is unleashed.

The attackers first spam out emails to staff in the target company, impersonating a trusted person and bearing a Word document marked as a resume, health insurance paperwork, or password policy guidelines. For example, the messages may appear to come from IT Worx, an Egyptian software company, or from Saudi Arabia’s Ministry of Commerce and Investment.

If opened, a macro within the document executes two Powershell scripts. The first script downloads and executes another PowerShell script from 139.59.46.154:3485/eiloShaegae1 via HTTP. The second script creates a memory buffer using the VirtualAlloc library call, fetches shell code from 45.76.128.165:4443/0w0O6 via HTTP, copies it into the buffer, and executes the code using CreateThread. This thread then creates another buffer, fills it with a PowerShell script from 45.76.128.165:4443/0w0O6 via HTTP, and runs that, too.

“Based on observations associated with the malicious document, we observed subsequent shell sessions probably associated with Metasploit’s Meterpreter that enabled deployment of additional tools and malware preceding deployment of three Shamoon-related files: ntertmgr32.exe, ntertmgr64.exe and vdsk911.sys,” IBM reports.

The team also identified two web domains used to host malicious executables and used by Shamoon's masterminds to carry out their attacks. Ntg-sa.com mimics the ntg.sa.com domain of Saudi petrochemical support firm Namer Trading Group and maps-modon.club is similar to the Saudi Industrial Property Authority’s maps.modon.gov.sa domain.

IBM advises blocking connections to and from these domains and the aforementioned IP addresses as a first priority and doing a network scan to see if there are users who are infected by the malware. Typically the attackers use these infected machines for reconnaissance and credentials stealing before deploying the main Shamoon payload.

It seems highly likely that Shamoon attacks are going to continue, since there now appears to be an exchange of malware between Iran and Saudi Arabia. The Iranians have blamed several petroleum plant fires last year on hacking, and the Saudis are pointing the finger of blame for Shamoon at the Iranians.

In the meantime, everyone else could get caught in the crossfire, so get checking those networks. ®