A second sample of the Shamoon V3 wiper analyzed by the experts

A second sample of the Shamoon wiper was uploaded to Virus total on December 13, from the Netherlands, experts analyzed it.

Last week security experts at Chronicle announced the discovery of a new variant of the infamous Shamoon malware, the sample was uploaded to Virus Total from Italy at around the time Italian oil services company Saipem announced to have suffered a cyber attack.

Over 300 of the servers at Saipem had been infected by Shamoon.

Now security experts have spotted a different sample of the new Shamoon variant, a circumstance that could suggest the attack was greater than initially thought, 

The second sample was uploaded to Virus total on December 13, from the Netherlands.

Malware researchers at Anomali Labs confirmed that this second sample is different from the one discovered by Chronicle.

The trigger date is set in the past, but to December 12, 2017, five days later than the one set in the variant identified by Chronicle. The trigger date is likely set to the past to allow immediate execution on the target system. 

The trigger date could be retrieved by the C2, but the sample analyzed by 
Anomali Labs did not include any reference to command and control servers. 

“A defining characteristic of this new Shamoon version is that it shares nearly 80 percent similarity with earlier versions of Shamoon and may use a historic trigger date, so that it can immediately perform destructive actions once infecting a user’s machine.” reads the analysis published by Anomaly Labs.

“Although not confirmed to be the work of Iranian APT groups, the malware’s codebase, targeted sector, and targeted geography have all been observed in historic attacks which were later attributed to adversaries from the region.”

The newly identified sample is UPX packed in the attempt to modify the signature of the malware to make it harder the detection.

The new Shamoon variant also uses “VMWare Workstation” in its file description in an attempt to utilize a legitimate software product as a lure to victims.

“Anomali Labs has not correlated this sample to an active cyber-attack at this time, however, analysts believe that it may represent additional targets as part of the Shamoon V3 campaign.” concludes Anomali Labs.

Further details, including IoCs are reported in the analysis 

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs –Shamoon v3, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]