Iranian “Shamoon” Attacks Saudi Targets. Again.

It’s back! It appears that the Shamoon malware aka “Shamoon 2” is targeting Saudi computers. Back in 2012, malware known as Disttrack , under the name of Shamoon, targeted computers in Saudi Arabia, with Iran being the previous culprit. It is believed that Iran had been skilled in malware development after attacks against Iran in the form of Stuxnet in 2010. Iran may have adapted malware such as Stuxnet and Wiper to fire back against their targets. In 2012, Iran destroyed over 30,000 systems in the Saudi Aramco and RasGas Co Ltd. company networks, taking down Saudi Aramco for over one week.

The Shamoon malware, heavily based on Wiper, wipes the hard drives of Windows systems, and is relatively rare (other recent malware e.g. Mamba ransomware, will hold users to ransom to have their systems un-encrypted). Previous famous occasions involving disk-wiping software such as Shamoon include in 2012 the Dark Seoul Attack and in 2014 the attack on Sony Corporation Hollywood studios and the Sands Casino in Las Vegas. 

The 2012 Shamoon attacks against Saudi Aramco & RasGas Co Ltd. computers showed images of a burning U.S. flag and in the latest Shamoon 2 attack, a distasteful image of the body of the drowned child, Syrian refugee Alan Kurdi was used (the Iranian state blame Saudi for the situation in Syria).

Shamoon 2 was triggered to start wiping the hard drives of infected machines from 17 November 2016. This time, the Saudi targets included the administrative systems of the Saudi civil aviation and transportation ministries along with the Saudi central bank. Shamoon 2 also, after staring to wipe the hard drive, disables computers’ boot functions so it cannot recover its operating system. Similar to the attacks in 2012, Shamoon 2 was timed to detonate when most employees would be off work during a holiday(their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon 2 attacks took place on Lailat al Qadr, the holiest night of the year for Muslims.

How Shamoon and Disttrack works

 

Disttrack is comprised of a dropper, communications and wiper parts. The Disttrack executable dropper extracts more tools and coordinates when to save and execute when needed. Disttrack has a component responsible for communicating with a C2 server (C&C or command and control server) and another unit used to wiping the hard drives.

Disttrack tries spreading to other computer networks using previously obtained administrator credentials, similar to the 2012 Shamoon attacks, where previously compromised credentials were hard coded into the malware.

 
The Dropper component
 

The dropper’s job involves disabling User Access Control (UAC) remote restrictions on an infected computer, logs into the remote system, and uses an administrator’s stolen credentials. The payload is written to the location: system32 folder. The kernel driver is from the RawDisk product by EldoS Corporation; this gives the malware direct access to files, disks and partitions.

 
The Communications component
 

This component interacts with Disttrack’s command and control (C&C) server and using HTTP requests. The communications modules in both the x86 and x64 variants of Disttrack do not use an operational Disttrack C2 server. The lack of an operational C2 server means the Iranian attackers had no need to remotely access the targeted computers; instead the intention was to destroy the target computers.

 
If Disttrack were configured with an operational C2 server, the module would issue an HTTP GET request that starts with GET http://server/category/page.php?shinu=ja1p9/…
This is perhaps additional evidence of Iranian involvement, because “shinu” may refer to the name of a village in NW Iran.

The Wiper component


The wiper component installs a kernel driver that allows it to begin writing to protected parts of the system. Those include the Master Boot Record (MBR) and partition tables of storage volumes.
After overwriting the target had drives, Disttrack instructs the target computer to restart. The computer shuts down, but because the malware has overwritten the partition tables, the machine cannot boot again. All system and user data is lost and the system has to be formatted and reinstalled.


Indicators of Compromise

Disttrack Droppers

47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34 (x64)
394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b (x86)

Communication Components

772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5 (x64)
61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842 (x86)

Wiper Components

c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a (x64)
128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd (x86)

EldoS RawDisk

5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a (x64)
4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6 (x86)

  

Iranian Hackers Attack State Dept. via Social Media Accounts


Iran launched sophisticated computer espionages leading to a series of cyberattacks against US State Department officials over the past month.

It is possible that cyberespionage is becoming the tool of seeking the type of influence that Iranian hardliners hoped that that country’s nuclear program will eventually provide.

According to diplomatic and law enforcement officials who are familiar with the investigation Iranian hackers over the past month identified individual State Department officials who focus on Iran and the Middle East and broke into their email and social media accounts. The State Department became aware of the compromises when Facebook told the victims that the state-sponsored hackers compromised their accounts.

Iran’s cyberskills are not yet equal to those of Russia or China but the attack against the State Department by using the social media accounts of young government employees to gain access to their friends across the administration is a focus that was not seen before.

Iranians have been less destructive than they could be, but they are getting far more aggressive in cyberespionage, which they know is less likely it will prompt a response from the United States.

Iranian hackers have been responsible for a series of powerful attacks against American banks that took their websites offline as well as a destructive attack on Saudi Aramco, the world’s largest oil producer, that replaced data on employee machines with an image of a burning American flag. American government officials also blame Iran for a similarly destructive attack at RasGas, the Qatari natural gas giant,and for an attack on Sands Casino in Las Vegas, where a large number of computers were destroyed.

Last year Iranians began using cyberattacks for espionage rather than for destruction and disruption. From May 2014 Iranian hackers were targeting Iranian dissidents and later policy makers,senior military personnel and defense contractors in the United States, England and Israel.

The attacks were basic “spear phishing” attempts, in which attackers tried to lure their victims to click on a malicious link, in this case by impersonating members of the news media.
Iranian hackers were successful in more than a quarter of their attempts. The number of such attacks reached its climax in May just ahead of the nuclear talks in Vienna in July and reached more than 1,500 attempts.

In the months before the talks, Iran’s hackers began probing critical infrastructure networks in what appeared reconnaissance for cyberattacks with the objective of causing physical damage but in June and July as American and Iranian negotiators gathered in Vienna to agree a deal on Iran’s nuclear program, attacks against targets in the United States stopped. Instead of this, Iran started targeting victims in Israel as well as members of Daesh in July as the militant group began expanding territory across Iraq.

Then in August just two weeks after the nuclear accord was reached, the trickle of cyberattacks against the group’s usual targets resumed against included 1600 individuals from scholars, scientists, chief executives and ministry officials to education institutes, journalists and human rights activists. If facebook last month had not decided to use a new alert system to notify users when facebook’s security team believed state-sponsored hackers had hijacked their accounts, and US State Department officials began to see a troubling new message pop up on their facebook accounts, it is possible that the victims didn’t learn of the compromises.

  

Iran Cyber Attack Feared Soon

Fears are growing that Iran will release cyber warfare on US companies if negotiators fail to reach a nuclear deal by Monday that would require Iran limits its nuclear program.
Cyber-attacks from Tehran dropped after the US, Iran and other countries agreed an interim nuclear deal in 2013, but if discussions in Vienna failed before a November. 24 deadline, observers expect a new series of attacks.
American financial companies, oil and gas companies and water filtration systems could be among the targeted companies. 
 
The US has not yet faced the full force of Iran’s rapidly developing cyber capabilities. Iran initially increased its cyber efforts in 2010 and launched a barrage of simplistic attacks on the US financial sector in 2012. Detecting such relatively harmless attacks was easy.  
Over the last two years, Iran has formed a Supreme Council of Cyberspace that meets once a month and includes President Hassan Rouhani.
Iranian officials also strengthened cybersecurity research partnerships with Russia and Iran has gone from a nascent to a burgeoning cyber power.
Security company FireEye described that one popular Iranian hacking group went from website defacements in 2010 to “malware-based espionage” in just four years.
It is reported that Iranian hackers attacked oil giant Saudi Aramco, the world’s most valuable company, and deleted the contents of 30,000 computers. The same virus also hit Qatar-based liquid petroleum gas firm RasGas.
While the US is bombarded with cyber attacks, it has never been the subject of a large-scale destructive attack. So far Tehran’s hackers are mostly suspected of probing around US infrastructure networks to understand their designs.
But if the nuclear talks fell apart that could change. And this time an Iranian attack could be more advanced.