The infamous Shamoon malware (aka Disttrack) known for its cyber espionage skills has returned. And it is now more advanced than before, with its capabilities of taking down virtual machines.
Shamoon has the ability to spread on the local network. It curates a list of files from specific locations on a computer and sends it to the attacker before deleting them. It can overwrite the MBR making the machine inaccessible.
Shamoon first appeared in 2012 when it was used to attack an oil company Saudi Aramco based in Saudi Arabia, affecting 35,000 machines. It took almost a week’s time to get those machines back online. It was in November 2016, when a new instance of the Shamoon malware, dubbed ‘Shamoon 2’, came to light. It was used to attack another Saudi Arabia-based firm and was set to wipe the systems on November 17.
A similar payload called ‘Second Shamoon 2’ was spotted again in November by security researchers at Palo Alto Networks, and it was also targetted in Saudi Arabia. The researchers note that the second Shamoon 2 malware contained hardcoded account credentials related to the victim organization. A behavior not observed in the previous Shamoon 2 case.
The fact that these user credentials comply with Windows password complexity requirements makes the researchers assume the existence of an unknown attack, similar to November 17, used to harvest the usernames and passwords for the latest attack.
Submitted by: Arnfried Walbrecht