A second sample of the Shamoon V3 wiper analyzed by the experts

A second sample of the Shamoon wiper was uploaded to Virus total on December 13, from the Netherlands, experts analyzed it.

Last week security experts at Chronicle announced the discovery of a new variant of the infamous Shamoon malware, the sample was uploaded to Virus Total from Italy at around the time Italian oil services company Saipem announced to have suffered a cyber attack.

Over 300 of the servers at Saipem had been infected by Shamoon.

Now security experts have spotted a different sample of the new Shamoon variant, a circumstance that could suggest the attack was greater than initially thought,

The second sample was uploaded to Virus total on December 13, from the Netherlands.

Malware researchers at Anomali Labs confirmed that this second sample is different from the one discovered by Chronicle.

The trigger date is set in the past, but to December 12, 2017, five days later than the one set in the variant identified by Chronicle. The trigger date is likely set to the past to allow immediate execution on the target system.

The trigger date could be retrieved by the C2, but the sample analyzed by
Anomali Labs did not include any reference to command and control servers.

“A defining characteristic of this new Shamoon version is that it shares nearly 80 percent similarity with earlier versions of Shamoon and may use a historic trigger date, so that it can immediately perform destructive actions once infecting a user’s machine.” reads the analysis published by Anomaly Labs.

“Although not confirmed to be the work of Iranian APT groups, the malware’s codebase, targeted sector, and targeted geography have all been observed in historic attacks which were later attributed to adversaries from the region.”

The newly identified sample is UPX packed in the attempt to modify the signature of the malware to make it harder the detection.

The new Shamoon variant also uses “VMWare Workstation” in its file description in an attempt to utilize a legitimate software product as a lure to victims.

“Anomali Labs has not correlated this sample to an active cyber-attack at this time, however, analysts believe that it may represent additional targets as part of the Shamoon V3 campaign.” concludes Anomali Labs.

Further details, including IoCs are reported in the analysis

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs –Shamoon v3, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.