Malware

Shamoon 2 – Palo Alto Networks sheds lights on the method for network distribution

Security researchers at Palo Alto Networks have determined that the Shamoon 2 malware uses a rudimentary technique for network distribution.

Security researchers at Palo Alto Networks continue to analyze the dreaded Shamoon 2 malware and the recent waves of attacks, now they have determined that the threat uses a rudimentary technique for network distribution.

The Shamoon 2 malware was first spotted in November 2016, a second variant of the same threat was discovered by researchers at Palo Alto Networks in January and it was able to target virtualization products.

Shamoon, also known as Disttrack, was first discovered in a wave of attacks that targeted companies in Saudi Arabia in 2012. Among the victims, there was the petrol giant Saudi Aramco. The principal capability of Shamoon is a feature that allows it to wipe data from hard drives of the infected systems.

IBM recently reported that the attackers delivered the Shamoon 2 malware using weaponized documents, while Symantec reported that the Magic Hound and Greenbug groups may have helped conduct reconnaissance, including stealing credentials and creating persistent backdoors.

Threat actors used stolen credentials to deliver the malware on the target systems, according to researchers at Symantec they may have been provided by another cyber espionage group called Greenbug.

Greenbug hackers used the Ismdoor remote access Trojan (RAT) and other tools in attacks against organizations in the Middle East.

The Ismdoor establish a backdoor on the target machine and leverages PowerShell for command and control (C&C).

The group targeted organizations in multiple industries, including aviation, investment, government and education organizations in several countries (i.e. Saudi Arabia, Iran, Iraq, Bahrain, Qatar, Kuwait and Turkey, and a Saudi company in Australia).

Yesterday experts at Palo Alto networks shared details about their investigation about how the stolen credentials were used by the attackers.

The threat actors first compromised a single system on the network using the Remote Desktop Protocol (RDP) and stolen credentials, then used it as a distribution server. The machine was used to store the hacking tools and the malicious code used in the attack. Then the attackers attempted to connect to named systems on the network using compromised credentials to spread the Shamoon malware.

“Our analysis also shows an actor distributes Disttrack within the targeted network by first compromising a system that is used as the Disttrack distribution server on that network. The actor then uses this server to compromise other systems on the network by using the hostname to copy over and execute the Disttrack malware.” reads the blog post published by Palo Alto Networks. “On each of these named systems that are successfully compromised, the Disttrack malware will attempt to propagate itself to 256 additional IP addresses on the local network. This rudimentary, but effective, distribution system can enable Disttrack to propagate to additional systems from a single, initially compromised system in a semi-automated fashion.”

The researchers speculate the hackers obtained the information of the named hosts directly from Active Directory on a domain controller, a circumstance that suggests that the Shamoon 2 attackers used legitimate credentials in their operations.

“This rudimentary, but effective, distribution system can enable Disttrack to propagate to additional systems from a single, initially compromised system in a semi-automated fashion,” researchers said.

The researchers at Palo Alto Networks also explored a possible connection between the Shamoon 2 malware and the Magic Hound campaign, The researchers noticed that one of the command and control (C&C) servers used by Magic Hound and a server hosting the Shamoon files used IP addresses from the same range, namely 45.76.128.x. Both attacks also leveraged PowerShell and Meterpreter and targeted entities within Saudi Arabia.

“If the Magic Hound attacks are indeed related to the Shamoon attack cycle, we may be able to hypothesize that the Magic Hound attacks were used as a beachhead to perform reconnaissance for the adversaries and gather network information and credentials.” continues Palo Alto Networks.”This may be further supported by the initial Magic Hound payloads we discovered, Pupy RAT and Meterpreter, both of which have these types of capabilities.”

Summarizing Palo Alto Networks agrees with Symantec on the theory that threat actors behind the Shamoon 2 conducted the Magic Hound campaign as a reconnaissance phase their attacks.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Shamoon 2 malware, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

13 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

20 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.