Update: Shamoon Detection tool has been updated to detect the latest December 10, 2018 variant of the Shamoon3 variant. (Click here to Download Shamoon3 Updated Detector)
The harmful wave of Shamoon hits for the third time against oil and gas organizations targeting the Middle East. The first hit of Shamoon was observed in 2012 which affected and wiped more than 30,000 systems at Saudi Aramco and the other oil companies in the Middle East. The second hit of Shamoon, namely Shamoon2, was detected in late 2016 targeting a single organization in Saudi Arabia. The second variant of Shamoon 2, was found to wipe out all the data. The name given to the third wave of Shamoon is a new variant of dropper component of Shamoon 2 and known as Shamoon 3. Prior Shamoon attacks include overwriting the documents, pictures, videos, music files and wipes the Master Boot Record (MBR) and replaces with a burning flag image.
Shamoon 3 includes the MBR overwriting method. It also includes the functionality of irreversibly encrypting the files. The main difference observed from older Shamoon and the new variant is that they do not contain any set of hard-coded domain credentials specific to the target organization to steal the credentials. Researchers have found that Shamoon 3, contains the longer filename list that is used for selecting the name for dropped executable name.
Please follow this document to know more about the IOC and the recommendations to follow regarding Shamoon3.
Modules in Shamoon 3
Shamoon 3 attack begins with a dropper that is intended for installing the communications and a wiper module to the system.
The Dropper selects a random name during the installation of communications and the wiper modules. The communications module will take one of the following filenames along with the .exe extensions.
Wiper module that is installed by the Dropper is responsible for overwriting the data within the MBR, partitions and files in the system. The wiper module will take one of the following filenames along with the .exe extensions.
Communications module that is installed by the Dropper is responsible for communicating with the Command and Control Server URL using a User Agent.
Indicators of Compromise
SHA 256 Hashes
Recommendations for Mitigation
The system administrators and users are advised to take the following actions.
• Update the systems to the latest patch.
• Enforce the least privilege policy.
• Disable outdated plugins or components. Employ sandboxing, data categorization and network segmentation.
• Employ multilayered security mechanisms such as application control.