Shamoon 2 Active in Middle East

Tuesday, January 24, 2017 @ 03:01 PM gHale

There is another new attack in the Middle East involving the destructive disk-wiping malware used by the Shamoon group, researchers said. The new attack is Shamoon 2.

The attack uses the Disttrack malware which saw use in the Shamoon attack as the destructive payload. While the malware can take down systems, it needed other means to infiltrate targeted organizations’ networks, said researchers from Symantec.

Blackhat: Recovering from Shamoon
Shamoon Hits Saudi Aviation Unit
SF Metro Victim of Ransomware
Securing Against Disguised Data

Disttrack, used by the original Shamoon, is a disk-wiping malware that became widely known in 2012, when it damaged 35,000 computers belonging to petroleum and natural gas company Saudi Aramco. The attack also hit other critical infrastructure companies in Saudi Arabia such as RasGas, one of the world’s largest producers of liquid-petroleum gas, and the first petrochemical company in Saudi Arabia, Saudi Arabian Fertilizer Company (SAFCO).

Shamoon 2, the more recent version, targeted organizations in Saudi Arabia, including the country’s General Authority of Civil Aviation (GACA).

The first wave of Shamoon 2 attacks launched on November 17 and a second wave November 29. The attacks, which some have attributed to Iran, relied on the Disttrack malware to automatically start wiping infected systems at a specified time.

The malware was planted on targeted systems using stolen credentials, and security firm Symantec believes the information may have been obtained in a prior attack launched by a threat actor named Greenbug, said researchers at Symantec.

Symantec first discovered the Greenbug cyberespionage group during its investigation into the original Shamoon attack. It resurfaced again during the November attacks.

This cyber espionage group has used a remote access Trojan (RAT) called Ismdoor and other tools in attacks aimed at organizations in the Middle East. The attackers targeted aviation, investment, government and education organizations in several countries, including Saudi Arabia, Iran, Iraq, Bahrain, Qatar, Kuwait and Turkey, and a Saudi company in Australia.

While there is no definitive link between Greenbug and Shamoon, Symantec determined Greenbug may have supplied credentials for the Shamoon attacks after detecting an Ismdoor infection on an administrator computer housed by one of the organizations targeted with Disttrack.

Researchers pointed out Ismdoor and other Greenbug tools became inactive just one day before the November 17 attacks.

Active since at least June 2016, Greenbug most likely uses email to compromise targeted organizations, researchers said.

Leave a Reply

You must be logged in to post a comment.