The Shamoon data-wiping malware that attacked government systems in Saudi Arabia last month is not dramatically different from an older version that destroyed 35,000 computers at Saudi oil company Aramco in 2012. And yet, even without substantially evolving, the malicious code showed it still packs a massive punch, according to researchers at Palo Alto Networks' Unit 42 threat intelligence team, who studied new samples of Shamoon.
Shamoon 2 does rely on more obfuscation than its predecessor and also has changed its extraction and decryption process since the 2012 attack. But much else is the same – especially its ability to obliterate data and sabotage systems to the point that they cannot reboot.
In fact, Shamoon 2 is so similar to its older version that the attackers even had to reset the system clock on victims' systems back to 2012 in order for the malware to work properly. Still, the relatively small changes made to the Disttrack code over the last four years are enough to make the payload “look different from a static and behavioral standpoint," noted Ryan Olson, director of the Unit 42 threat intelligence team, in an email interview with SC Media.
Shamoon is composed of three parts: a dropper, a communications module and a wiper. Moreover, hard-coded into the observed malware samples were administrator-level system credentials and internal domain names belonging to the targeted entity, which were likely stolen in advance of the attack. (According to Palo Alto, the credentials were too strong to have been guessed through brute-force or dictionary attacks.)
"Frustratingly, this pattern of privileged credential compromise continues to be repeated – consider attacks like the ones impacting the Ukraine power grid, Bangladesh Bank, the [Las Vegas] Sands Hotel and more," said John Worrall, CMO at information and account security company CyberArk, in emailed comments sent to SC Media. "Hijacked administrator credentials enable attackers to enter the network undetected and they continue to elevate those privileges until they find a landing point to inflict maximum damage.
Leveraging the pilfered credentials and domain names, the malware spreads like a worm, jumping from infected machines to additional systems connected via the local network. The dropper plays a key role in this process – opening the service manager on each remote system to launch the RemoteRegistry service, then disabling user controls before logging in with the stolen credentials and writing its payload (including the communication and wiper components.)
The communication module is configured to interact with a command-and-control server via HTTP; however, it was programmed with an IP address that does not actually host a Disttrack C&C server. This suggests that the adversaries behind the attack wanted only to destroy infected machines, not secretly hijack or remotely access them, the Palo Alto blog post explained.
“The advantage of not connecting is it reduces external connections that could be used to block or prevent attacks or learn more about the attackers,” said Olson. “In essence, the malware has been stripped down for a one-way mission.”
Upon activation, the wiper component installs a kernel driver from an ordinarily legitimate commercial tool from EldoS Corporation known as RawDisk, which is designed to help administrators access restricted files.
The malware leverages RawDisk to overwrite protected systems, including the master boot record and partition tables of storage volumes, in one of three ways: It can overwrite data with JPEG image files (as it notably did in this latest attack, using the image of drowned Syrian boy Alan Kurdi – an image that powerfully symbolized Syria's refugee crisis), it can encrypt file contents using the RC4 algorithm, or it can overwrite files with random values used for the key in the aforementioned RC4 algorithm.
Once the files are overwritten, the wiper restarts the system, but the computer is no longer able to boot correctly, rendering the machine utterly useless. “There is one main option for recovery: restoring back-ups of the system," said Olson. "It is possible to go through forensic recovery to recover data that is still present on the physical platters of the hard drive, but the success of that will vary and be questionable.”
The source and motive for the attacks have yet to be confirmed, but some reports contend the attack appears to have come from Iran, which was responsible for the 2012 attacks, according to Bloomberg.