Shamoon Malware Returns in New Attacks

Wiper malware first seen in attacks back in 2012 evolves in new attacks targeting victims in the Middle East.

The Shamoon wiper, which is a class of malware that 'wipes' or destroys data on infected machines, is once again attacking systems in the Middle East, according to multiple reports from security vendors including CrowdStrike, FireEye and Symantec.

Shamoon first appeared back in August 2012 and was linked to an attack against Saudi Aramco, Saudi Arabia's national oil company. The new Shamoon 2 attack is a variant of the 2012 malware with some new updates that are designed to try and evade signature based detection security systems.

With the original Shamoon, the wiper erased user files and replaced them with an image of a burning American flag. In contrast, with the Shamoon 2 malware, Dmitri Alperovitch, CTO and co-founder of CrowdStrike said that instead the image used is that of deceased Alan Kurdi, the 3-year old Syrian boy whose body was found on a Turkish beach in September 2015.

"The Shamoon 2 attack was activated on November 17 in the Middle East and it was uploaded to VirusTotal on November 22," Alperovitch told eWEEK.

VirusTotal is an online resource now owned by Google, that is often used by security researchers to load new malware samples, in an attempt to see if they are known and whether or not security scanning engines are able to detect any malicious actions. The Shamoon 2 attack is not being given a new CVE vulnerability identifier as it is technically not exploiting an unknown flaw.

"Shamoon 2 is a wiper so it's not using any new vulnerabilities," Alperovitch explained. "Once it's deployed on a system, it has hard coded credentials in the malware, so there was probably some insider help or prior reconnaissance by the adversary."

By having the credentials, the attackers did not need any new exploits to spread the malware. Alperovitch explained that once Shamoon 2 is on a system, it detonates, wiping files and overwriting them with an image. Shamoon then also proceeds to over-write the master boot record of the system, in order make the machine un-bootable.

Microsoft's Windows 10 operating system includes the new Credential Guard technology that aims to protect administrator credentials. Alperovitch noted that while Credential Guard does make it more difficult for credentials to be stolen, it's still possible. He added that at this point, it's not known how the credentials on the attacked systems were actually stolen.

"It could have been an insider, in which case Credential Guard won't help at all," Alperovitch said.

In terms of impact, at this point Shamoon 2 has taken direct aim at what Alperovitch referred to as several organizations in the Middle East. It's also not entirely clear at this point who exactly is behind the Shamoon 2 attacks. Alperovitch noted that the original Shamoon attack was built by Iran, though CrowdStrike has not yet determined if Shamoon 2 is built by the same group, or not.

From a code perspective, very little has actually changed from the Shamoon used in attacks in 2012 and the version used now in 2016. Alperovitch explained that the original Shamoon attack used a raw disk driver called ElDos to overwrite the master boot record. The ElDos tool was obtained with a trial license that expired in September 2012.

"This new version of Shamoon uses not only the same raw disk driver, but the same original key," Alperovitch said. "In order to avoid the license check, Shamoon 2 resets the clock on the machine to August 2012, to make sure the driver will still activate with the trial key."

What has changed in the new version of Shamoon is that there are now additional code obfuscation capabilities that attempt to hide what the code includes. Shamoon is written in the C programming language, with the obfuscation developed as custom code by the attackers. When code is packaged, there is typically a hash value that the package will have, which is what signature based security systems will scan to find malware. In contrast, machine learning approaches, such as the one used by CrowdStrike and its Falcon platform do not use signatures.

Alperovitch doesn't necessarily think that Microsoft can do anything to patch against Shamoon 2 either.

"The problem is that everything it (Shamoon 2) is doing is something you could do in a legitimate context," Alperovitch said. "The wiper malware itself is not stealing files or doing anything overtly malicious."

Alperovitch noted that legitimate programs do have reason to overwrite files including the master boot record. For example, there are tools that help users to re-partition hard-drives, that need to be able to overwrite files.

For organizations looking to defend against Shamoon, Alperovitch has a few suggestions, including, of course, using a next generation security tool, such as CrowdStrike Falcon. Beyond that Alperovitch recommends that organizations limit who has access to Windows domain credentials.

"Once those credentials are stolen, those are the keys to the kingdom," Alperovitch said. "So whatever you can do to protect those credentials and limit their usage is really important."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.