by Aviv Raff on | Leave a comment
Filed under Research Lab and tagged News, Zero-day vulnerabilities.
Filed under Research Lab and tagged News, Zero-day vulnerabilities.
Shamoon, a two-stage targeted attack
Whenever there is a new report about a targeted attack, the first thing you might ask yourself is: “What is the intention?”
Why would someone invest time to prepare a campaign, send a spear-phishing email with a malicious document attached and waste a zero-day vulnerability in order to silently install a sophisticated malware?
Today, Seculert received information about a new attack targeting several specific companies in a few industries. The attack is called “Shamoon,” due to a string of a folder name within the malware executable (“C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb”).
The interesting part of this malware is that instead of staying under the radar and collecting information, the malware was designed to overwrite and wipe the files and the Master Boot Record (MBR) of the computer. Why would someone wipe files in a targeted attack and make the machine unusable?
While it’s rare to find this type of malware in targeted attacks, our friends at Kaspersky Lab suggest that this is the same behavior of the wipe malware found attacking machines in Iran, that were infected with another unknown malware. This then lead Kaspersky to the discovery of Flame.
Furthermore, Shamoon is collecting the names of the files it has overwritten and sending this information to another internal machine within the compromised company’s network. The samples we analyzed communicated with a local IP address 10.1.252.19 (see Figure 1).
Figure 1: Shamoon malware trying to communicate with IP address 10.1.252.19
The evidence above suggests that this is a two-stage attack:
- The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command-and-Control (C2) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet.
- Once the intended action on the internal infected machines was complete, the attacker executed the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines. It then reported back to the external C2 through the proxy.
It is still unclear who is behind this attack. We will update this blog with more information when it becomes available.
UPDATE [17-Aug-2012]: Updated the section about Flame, to clarify that it was not used in the same attack as Flame, but rather a different targeted-attack that led to the discovery of Flame.
Is your network compromised? Take a free trial of Seculert and discover threats your other security solutions have missed.
What industries were targeted?
What countries were they located in?
Looks like energy company (at least one) and seems to be in the Middle East:
http://www.securityweek.com/disttrack-sabotage-malware-wipes-data-unnamed-middle-east-energy-organization
http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240005715/new-targeted-attack-destroys-data-at-middle-east-energy-organization.html
Is the company Aramco?
http://www.computerworld.com/s/article/9230363/Saudi_Aramco_hacked_company_confirms_disruption?taxonomyId=17
Follow @cyberstrikenews in twitter to read more detail about the attack, as the hackers publish them through some irc channels we found to be talking about this.
The reason for wiping the harddrive is that the developers of this virus were idiot amateurs. Standard procedure when you figure out a machine is compromised with a virus is to wipe the hard drive. Usually, most of the work is in finding out that the machine has a virus – getting rid of it is *always* easy if you have the knowhow to rebuild from scratch
On of the companies was saudi ARAMCO the world lrgest producer of oil
So when does one know if the virus wipped ARAMCO’s CENTUM CS DCS from yokogawa? This would be great information!!!!
Seems to me that the reason for the destroying of the computer is simple. The computer is the link in the chain and breaking this link you then make it hard to figure where the next link is. In other words its a way to cover your tracks.
I’m still not convinced of the attackers motive.. any thoughts people?
It could be the training stage for cyber destroyer. If completed, such malware could destroy specific networks, e.g. defense systems, infrastructure. Potential results: non–controllable and non–manageable weapons, defense systems (for instance, missile shield), energy production–transportation.
Anyone know of any companies in the Middle East that may have been targeted? Or that are a victim of the attack itself?
Similar Attack hit RassGas in QATAR
Imagine if a zero-day Shamoon got into NSA, NGA, NRO, DIA, CIA, NMEC, NGIC, DCGS networks at 1:00 am where “Security is Everyone’s Job”, but those with polygraphs complacently fail at defense in depth, trusting the green door to keep evil out while they sleep. What is the difference between ignorance and apathy? They don’t know and they don’t care. When all COMMS, SIGINT, IMINT, HUMINT, and MASINT goes down with backups containing yet another series of trojans that destroy continuity of operations who are they going to call?
Ask the DCI CIO what the Cyber Emergency 911 is at any of the 3-letter organizations for all the TS/SCI networks connecting the military-intelligence-industrial complex.
Ask how the 432nd Wing UAV controller network at Creech AFB was infected. Ask how the RQ-170 controlled in Nevada ended up landing in Iran.
Ask how StratFor and HBGary were taken down.
Ask how an 82-year old nun gets into the Y-12 weapons grade uranium plant in Oak Ridge Tennessee or an Army Private is credited with starting the Arab Spring using WikiLeaks.
Where are the people that took oaths to defend their country? Slimy bastards sucking at the teat of big brother slinking away proclaiming, “Not my job.” The Chinese, Russians, and Iranians are probably quietly gobbling up everything the IC is monitoring because government personnel leaving everything to contractors who’s only goal is to grow their contract so they can pay their mortgage, send their kids to college, and plan their next vacation. Few care enough about national security with the discipline to be continuously vigilant.
Pingback: Preventing Today’s Advanced Threats is Unrealistic | Seculert Blog on Advanced Persistent Threats and Malware