Iranian “Shamoon” Attacks Saudi Targets. Again.

It’s back! It appears that the Shamoon malware aka “Shamoon 2” is targeting Saudi computers. Back in 2012, malware known as Disttrack , under the name of Shamoon, targeted computers in Saudi Arabia, with Iran being the previous culprit. It is believed that Iran had been skilled in malware development after attacks against Iran in the form of Stuxnet in 2010. Iran may have adapted malware such as Stuxnet and Wiper to fire back against their targets. In 2012, Iran destroyed over 30,000 systems in the Saudi Aramco and RasGas Co Ltd. company networks, taking down Saudi Aramco for over one week.

The Shamoon malware, heavily based on Wiper, wipes the hard drives of Windows systems, and is relatively rare (other recent malware e.g. Mamba ransomware, will hold users to ransom to have their systems un-encrypted). Previous famous occasions involving disk-wiping software such as Shamoon include in 2012 the Dark Seoul Attack and in 2014 the attack on Sony Corporation Hollywood studios and the Sands Casino in Las Vegas. 

The 2012 Shamoon attacks against Saudi Aramco & RasGas Co Ltd. computers showed images of a burning U.S. flag and in the latest Shamoon 2 attack, a distasteful image of the body of the drowned child, Syrian refugee Alan Kurdi was used (the Iranian state blame Saudi for the situation in Syria).

Shamoon 2 was triggered to start wiping the hard drives of infected machines from 17 November 2016. This time, the Saudi targets included the administrative systems of the Saudi civil aviation and transportation ministries along with the Saudi central bank. Shamoon 2 also, after staring to wipe the hard drive, disables computers’ boot functions so it cannot recover its operating system. Similar to the attacks in 2012, Shamoon 2 was timed to detonate when most employees would be off work during a holiday(their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon 2 attacks took place on Lailat al Qadr, the holiest night of the year for Muslims.

How Shamoon and Disttrack works

 

Disttrack is comprised of a dropper, communications and wiper parts. The Disttrack executable dropper extracts more tools and coordinates when to save and execute when needed. Disttrack has a component responsible for communicating with a C2 server (C&C or command and control server) and another unit used to wiping the hard drives.

Disttrack tries spreading to other computer networks using previously obtained administrator credentials, similar to the 2012 Shamoon attacks, where previously compromised credentials were hard coded into the malware.

 
The Dropper component
 

The dropper’s job involves disabling User Access Control (UAC) remote restrictions on an infected computer, logs into the remote system, and uses an administrator’s stolen credentials. The payload is written to the location: system32 folder. The kernel driver is from the RawDisk product by EldoS Corporation; this gives the malware direct access to files, disks and partitions.

 
The Communications component
 

This component interacts with Disttrack’s command and control (C&C) server and using HTTP requests. The communications modules in both the x86 and x64 variants of Disttrack do not use an operational Disttrack C2 server. The lack of an operational C2 server means the Iranian attackers had no need to remotely access the targeted computers; instead the intention was to destroy the target computers.

 
If Disttrack were configured with an operational C2 server, the module would issue an HTTP GET request that starts with GET http://server/category/page.php?shinu=ja1p9/…
This is perhaps additional evidence of Iranian involvement, because “shinu” may refer to the name of a village in NW Iran.

The Wiper component


The wiper component installs a kernel driver that allows it to begin writing to protected parts of the system. Those include the Master Boot Record (MBR) and partition tables of storage volumes.
After overwriting the target had drives, Disttrack instructs the target computer to restart. The computer shuts down, but because the malware has overwritten the partition tables, the machine cannot boot again. All system and user data is lost and the system has to be formatted and reinstalled.


Indicators of Compromise

Disttrack Droppers

47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34 (x64)
394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b (x86)

Communication Components

772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5 (x64)
61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842 (x86)

Wiper Components

c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a (x64)
128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd (x86)

EldoS RawDisk

5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a (x64)
4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6 (x86)