Shamoon Disk-Wiping Malware Upgraded with Ransomware Module

  • March 7, 2017
  • 06:00 AM
  • 0

The Shamoon disk-wiping malware has received a major upgrade during the past few months, and now features a ransomware module, along with support for both 32-bit and 64-bit architectures, researchers from Kaspersky Lab revealed on Monday.

Shamoon, also known as Disttrack, first spotted in 2012, is one of today's most notorious malware families, even if one of the rarest.

The malware rose to infamy after a nation-state actor used it to erase data from over 35,000 computers belonging to Saudi oil provider Aramco in 2012.

Shamoon timeline
Timeline of attacks with disk-wiping malware (via Kaspersky)

The malware was also used against other, smaller targets, but mostly remained silent until November 2016, when reports from Symantec and Palo Alto Networks revealed new attacks against a number of private companies in Saudi Arabia.

According to Kaspersky, the initial attacks continued through December, and then in January 2017.

New StoneDrill disk wiper discovered

After analyzing the malware used in the attacks, researchers say they not only discovered an overhauled version of Shamoon, which they now track as Shamoon 2.0, but also a new disk-wiping malware, closely related to Shamoon, which they named StoneDrill.

Based on an in-depth analysis of the two new malware strains, available in this 30-page report, StoneDrill is much more advanced than Shamoon 2.0, and has also been used against a company located in Europe, not just Saudi Arabian targets.

StoneDrill's most notable additions are the usage of advanced sandbox evasion techniques, the usage of external scripts for malicious actions, and the usage of a fileless infection method that injects the wiper component in the computer's memory, instead of using drivers, like the Shamoon family.

Similarities and differences between Shamoon and StoneDrill
Similarities and differences between Shamoon and StoneDrill (via Kaspersky)

Shamoon 2.0 and StoneDrill similarities include some of the same  pre-disk-wiping features, such as commands to dump and steal credentials from infected hosts, backdoor functionality for stealing data from victims, and some shared C&C server infrastructure.

Shamoon ransomware module used as flase flag

As for Shamoon itself, version 2.0 includes many new features, of which the ransomware module stands apart.

The common train of thought is that Shamoon operators will use the ransomware module as an alternative to wiping data from computers.

The reason Shamoon operators wiped data from infected hosts in the first place was to hide their tracks after they stole data from the victim's PC

Experts believe the Shamoon ransomware module will be used to fool victims to believe they suffered a mundane ransomware infection, restore files from backups, or wipe and reinstall computers without investigating the incident further.

Previous reports on Shamoon from companies such as Websense (now Forcepoint), Seculert, and Kaspersky, have alluded that an Iran-based group, possibly a state actor, might be behind the attacks.

Insight on Shamoon operations
Insight on Shamoon operations (via Kaspersky)

 

Related Articles:

New "Industroyer" Malware Targets Power Grids

SynAck Ransomware Uses Process Doppelgänging Technique

XiaoBa Ransomware Retooled as Coinminer But Manages to Ruin Your Files Anyway

Malware Found in the Firmware of 26 Low-Cost Android Devices

FBI Takes Control of APT28's VPNFilter Botnet

Catalin Cimpanu
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.
Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Newsletter Sign Up

To receive periodic updates and news from BleepingComputer, please use the form below.

Login

Remember Me
Sign in anonymously

Reporter

Help us understand the problem. What is going on with this comment?

Learn more about what is not allowed to be posted.

SUBMIT