An Analysis of the Shamoon 2 Malware Attack
Saudi officials recently warned organizations in the kingdom to be on the alert for the Shamoon 2 malware, which cripples computers by wiping their hard disks. In 2012, Shamoon crippled Saudi Aramco and this new variant was reportedly targeted at the Saudi labor ministry as well as several engineering and manufacturing companies.
During a recent analysis, Vectra Networks came across a malicious component that appears to be used in conjunction with spear-phishing-delivered malicious documents.
These documents use PowerShell to download and execute the reconnaissance tool to start their foothold in the victim’s network. This tool, known as ISM, appears to be a full-fledged standalone tool that allows remote operators to data-mine systems prior to removing their tracks with Shamoon 2.
ISM is a relatively small binary in comparison to modern malware. It is roughly between 565 and 580 KB in size and appears to be compiled using Microsoft Visual C++ 8.0. Once executed, this tool performs several actions in order to gather as much critical information about the targeted system.
It contains a few anti-sandbox and analysis methods and will specifically look for the presence of “ISM.exe” being executed in order to successfully complete its operation.
Figure 1: Tasklist search for ISM.exe
The tool will obtain the following information on the targeted machine:
Figure 2: Examples of data-gathering scripts
The tool also forces system shutdowns by task-killing the Windows initialization process, winit.exe when system shutdowns are not successful. It can create scheduled tasks and use them to disrupt application and system update checks.
In addition, the tool has the ability to execute additional RAT and backdoor tools. The following tools are specifically labeled in the code:
Figure 3: References to additional RAT resources
The tool also makes an outbound DNS and HTTP requests to the server update.winappupdater.com. Upon inspection, this server at one point had several suspicious PHP and URI requests to pages that would indicate C&C functionality.
The tool uses a unique user agent string of Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko in order to conduct HTTP C&C requests:
Figure 4: User agent string identifier
Example parameters during C&C would be similar to the following:
These HTTP requests are made to URIs containing Home/BM, Home/CC, Home/SCV, Home/CC or Home/CR. A few other resources, such as Home/SF and Home/gf, were also noted and might be used for testing or previous campaigns.
Figure 5: C&C communication URI locations
In addition, it appears the server is also hosting an outdated Microsoft-certified Intel wireless LAN driver (NB500_Win7_intel_wireless_LAN_Driver_220.127.116.11.1.s32). This tool is likely being used in malicious manners to either manipulate existing network drivers or to use a vulnerability in the driver itself for privilege elevation vulnerabilities on the targeted systems.
Once this binary has executed on a system and the attackers are satisfied with the gathered data, the tool has the ability to remove all traces of its temporary files from the system.
This stolen data is then directly used in the Shamoon 2 builder application in order to maximize data wipe effectiveness. Since credentials and network locations are stolen in this phase, the operators merely have to deliver the Shamoon 2 malware to the system via the ISM backdoor whenever they are finished performing their primary mission.
Upon initialization, the Shamoon 2 binary will scan the current /24 network to which the local machine is connected. This network sweep will scan for machines using the stolen credentials gathered by the ISM malware via TCP ports 135, 139, and 445.
The authors will check for valid passwords against systems via abusing remote registry calls against the targeted systems. Once a successful remote registry session is detected, the malware will use RPC and psexec to remote-copy the files to these machines and then silently execute each of these binaries.
Current copies of Shamoon 2 binaries will delete the system on the following Tuesday after execution at 0230 system time. We believe that the payload detonation date and time might also be customized based on the current campaign.
What you should do
Upon detection of any of Shamoon 2 activity, it is strongly advised that all affected systems be physically powered-off immediately. Administrators should then boot the affected devices from a secure USB device and mount the file system for read access.
Mission-critical files should then be removed from the system and the system should be re-imaged with different credentials. Administrators should note that if that if the Shamoon 2 binary or its network activity is detected, domain credentials and likely other sensitive information has been already stolen and exfiltrated from the affected network.
The resulting payload of Shamoon 2, which wipes the MBR and replaces it with an image, is likely used to cover the tracks of the attackers and their true motives.
The data science behind Vectra threat detections
Register for this white paper to learn how Vectra AI-based threat detection models blend human expertise with a broad set of data science and sophisticated machine learning techniques to identify threats like Shamoon 2.