IBM researchers have uncovered how the deadly malware enters networks
IBM researchers have uncovered how the deadly malware enters networks

Researchers are closer to uncovering the miscreant behind a series of devastating cyberattacks that affected thousands of computers used by government and civil organizations in the Gulf states from November 2016 through January of this year.

As opposed to ransomware, which locks up a targeted computer's data until a fee is paid, the so-called Shamoon malware destroys hard drives by wiping the master boot record (MBR) and data.

Forensics analysts on the IBM X-Force Incident Response and Intelligence Services (IRIS) team have now identified the method by which the attackers launched their malware.

The malware distributors launched their campaign using a document with a malicious macro embedded that, when clicked on by an unsuspecting target, launched the execution and began C2 communications with the attacker's server and remote shell via PowerShell, the report found.

But, this instance was consistent with several other campaigns in recent months using PowerShell-laden docs disguised as résumés and messages from human resources personnel associated with entities in Saudia Arabia, the researchers explained.

The IBM team's investigation revealed the use of "similar operational methods in which the attackers served malicious documents and other malware executables from web servers to their targets to establish an initial foothold in the network."

While the Shamoon malware has been on the radar of security researchers since 2012, the revelation here, the researchers said, was the specific network compromise methods used in the attacks.

The actor behind the most recent Shamoon campaigns "relied heavily on weaponized documents built to leverage PowerShell to establish their initial network foothold and subsequent operations," they explained.

In this instance, the bad actor sends off a spear-phishing email to workers at target organizations with a Microsoft Office doc attached. The message appears to come from an international software professional services organization based in Egypt, so recipients would consider it safe. But, when they open the attachment, PowerShell is engaged and it enables command line access to the compromised machine.

At this point, the attacker gains access to the infected machine and launches commands to deploy further tools and malware to additional endpoints. They also can escalate privileges for greater access to the corporate network. Once inside the network, attackers can scope out and connect to additional systems to locate critical servers, the report explained. At this point, Shamoon is deployed and spreads across the entire corporate network destroying hard drives.

But there is some help. Kevin Albano, global lead, threat intelligence at IBM X-Force IRIS, told SC Media on Friday that he recommends that all firms scan for malware that his team believes proceeds Shamoon. "Also, since the dropper malware relied on macros in malicious documents, I'd recommend either disabling macros or filtering for macro enabled documents coming in from external sources."

The real lesson, he said, is that destructive malware like Shamoon is only going to be growing. "The most recent attacks in the Middle East show it can cause extensive economic disruption. This is a whole new concern for business and being prepared takes vigilance not only in how you defend your network but in how you prepare to respond to an all out "deleting" of your data."

Right now, the Shamoon malware has mostly targeted businesses in the Middle East, he pointed out. But that doesn't mean that companies doing business in the region should not be concerned. "Companies could be indirectly impacted by the malware as supply chain partners in the region are taken offline for days/weeks at a time."

When asked how the malware can be stopped, Albano explained that, unfortunately, it's not possible to eradicate the scourge itself because it is destructive in nature and wipes hard drives and networks clean. What IT admins can do, he said, is mitigate the malware and tools used to drop the Shamoon malware on to networks. 

"The IBM X-Force IRIS team found the malware tools and techniques used by the actors to compromise the organization's network," he said. "This research empowers organizations with the IOCs to determine if they've been impacted which was impossible before, because the indicators weren't public until now."