IBM shares details on the attack chain for the Shamoon malware

Security experts at IBM published a report that includes precious details on the attack chain of the dreader Shamoon cyberweapon.

The dreaded Shamoon malware, aka Disttrack, has resurrected and government agencies and threat intelligence firms are investigating the recent strings of attacks leveraging the dangerous disk wiper.

We detected the Shamoon malware for the first time in August 15th, 2012, when the Saudi Arabia’s oil company, Saudi Aramco announced that its systems and its internal network were victims of a cyber-attack. According to the company, Shamoon infected more than 30,000 workstations.

On December 2016, security experts observed a new wave of attacks leveraging on the Shamoon malware. The malware experts from Palo Alto Networks and Symantec both reported an attack on a single Saudi company.

The new variant of Shamoon, so-called Shamoon 2, can rewrite the MBR on affected computers with an image of a three-year-old Syrian boy named Alan Kurdi that lay dead on a Turkish beach.

“Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice,” reported Symantec.

In January, researchers at Palo Alto Networks discovered a new strain of the Shamoon 2 malware that was targeting virtualization products.

The researchers at IBM’s X-Force Incident Response and Intelligence Services (IRIS) believe Shamoon malware is pivot element in the information warfare between Saudi Arabia and Iran.

The malware experts have identified servers used to deliver Shamoon, they have broken onto the server used by the attackers and gathered more information to study the threat and its attack chain.

“This research led them to believe that the actor using Shamoon in recent attacks relied heavily on weaponized documents built to leverage PowerShell to establish their initial network foothold and subsequent operations:” IBM reports.

1. Attackers send a spear phishing email to employees at the target organization. The email contains a Microsoft Office document as an attachment.
2. Opening the attachment from the email invokes PowerShell and enables command line access to the compromised machine.
3. Attackers can now communicate with the compromised machine and remotely execute commands on it.
4. The attackers use their access to deploy additional tools and malware to other endpoints or escalate privileges in the network.
5. Attackers study the network by connecting to additional systems and locating critical servers.
6. The attackers deploy the Shamoon malware.
7. A coordinated Shamoon outbreak begins and computer hard drives across the organization are permanently wiped.

The attackers launched a spear-phishing campaign against the potential targets, they used to impersonate a trusted person, for example, the Saudi Arabia’s Ministry of Commerce and Investment or the Egyptian software company IT Worx.

The messages come with a Word document marked as a resume, health insurance paperwork, or password policy guidelines, anyway something of interest for the potential victim.

The documents include a malicious macro that starts the attack. When the victim executes the macro it launches two Powershell scripts.

• The first script downloads and executes another PowerShell script from the 139.59.46.154:3485/eiloShaegae1 via HTTP. The second script creates a memory buffer using the VirtualAlloc library call, fetches shell code from 45.76.128.165:4443/0w0O6 via HTTP, copies it into the buffer, and executes the code using CreateThread. This thread then creates another buffer, fills it with a PowerShell script from 45.76.128.165:4443/0w0O6 via HTTP, and runs that.
• The second script creates a memory buffer using the VirtualAlloc library call, fetches shell code from 45.76.128.165:4443/0w0O6 via HTTP, copies it into the buffer, and executes the code using CreateThread. This thread then creates another buffer, fills it with a PowerShell script from 45.76.128.165:4443/0w0O6 via HTTP, and runs that, too.

“Based on observations associated with the malicious document, we observed subsequent shell sessions probably associated with Metasploit’s Meterpreter that enabled deployment of additional tools and malware preceding deployment of three Shamoon-related files: ntertmgr32.exe, ntertmgr64.exe and vdsk911.sys,” continues the report.

The researchers identified two web domains used to host malicious executables and launch the attacks.

 

• Ntg-sa[.]com that spoofs the legit ntg.sa.com domain of Saudi petrochemical support firm Namer Trading Group.
• maps-modon[.]club that spoofs maps.modon.gov.sa, which is associated with the Saudi Industrial Property Authority,

This information is precious for system administrators that could check any connection to these domains and block it.

The experts discovered that attackers once infected the machine use them for reconnaissance, gathering information on the network and stealing sensitive information. Once completed this phase the attackers deploy the Shamoon payload.

Saudi Arabia is warning local organizations about the Shamoon malware, experts believe that the threat actor behind these operations will continue its activity temporarily disappearing and changing tactic.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – shamoon, cyber weapon)