The destructive Shamoon malware campaign again returns in January 2017 targeting several Saudi organizations. The Shamoon malware first detected in 2012, wiping the data on over 30,000 computer systems and rewriting the hard drive Master Boot Record with a picture of a burning US flag.
Per Symantec, the threat actors behind Shamoon are Green bug cyber espionage group stated. The other speculation is that this could be work of Iranian state sponsored hackers. The main attack vector used by this group is through specially crafted email. The Greenbug group aiming a range of organizations in the Middle East including companies in the Chemical, Aviation, Banks and Government sectors. This particular threat uses the Trojan.Ismdoor Trojan (Remote Access Trojan) and also variety of other tools to steal sensitive credentials from compromised organizations. The Shamoon attacks revealed a new strategy involving the malware using account credentials which is hardcoded specific to the targeted organization.
The Trojan.Ismdoor is able to steal sensitive credentials from the targeted organizations and have found a backdoor which is using power shell script to collect information from the targeted computer system and writes to a temporary file.
Figure 1 - The above picture shows the commands used by Shamoon2 to collect various sensitive information
Figure 2- The above picture shows the commands used by Shamoon2 to collect various sensitive information
Figure 3- The above picture shows the commands used by Shamoon2 to collect various sensitive information
The following are the list of files that the Shamoon malware accesses, writes and removes.
C:\Documents and Settings\student\Local Settings\Application Data\Microsoft\Windows\Tmp98871 - accessed
C:\Documents and Settings\student\Local Settings\Application Data\Microsoft\Windows\Tmp98871 - written
C:\Documents and Settings\student\Local Settings\Application Data\Microsoft\Windows\tmp43hh11.txt – removed
Possible credential database file - PDB file
Figure 4 - Presence of Portable Database
This Shamoon2.Jan2017 variant is using hardcoded username and password (that was stolen before) to access the computer for infection. The ‘.pdb’ extension is portable database extension. We guess that the stolen credentials are stored in this ‘.pdb’ files.
Also, we assume that most people affected by this malware must be using windows system.
Figure 5 - The above picture shows that Shamoon2 verifies the stolen credentials with the victim machine
Now what does this “...\WinHttp\Passport Test” means is that ‘WinHttp’ provides platform support for Microsoft Passport by implementing the client-side protocol for Passport authentication. It frees applications from the details of interacting with the Passport infrastructure and the Stored User Names and Passwords in Windows. This abstraction makes using Passport no different from a developer's perspective than using traditional authentication schemes like Basic or Digest.
The following are the files that are dropped by the Shamoon2 malware.
Indicators of Compromise – SHA256 hash values
This analysis highlights the important aspects of the Shamoon2.Jan17 malware. A detailed threat analysis of Shamoon 2.0 is updated here.