Overview and thoughts about Shamoon3 toolkit
On August 15, 2012, a computer attack left “out of the box” about 30,000 Windows systems of the Saudi Aramco oil company. The incident had a significant impact on businesses processes and production at the company, which took weeks to return to normal activity. The malware deployed in the attack was designed to erase information from hard drives, and was subsequently called Shamoon. After the initial success against Saudi Aramco, the attacks utilizing Shamoon were repeated against other companies in the energy sector as well as government and finance. Some additional incidents carried out by Shamoon and widely reported in the media include:
- 15-08-2012: Saudi Aramco (Saudi Arabia)
- 27-08-2012: RasGas (Qatar)
- 17-11-2016: Saudi Arabia’s General Authority of Civil Aviation (GACA) (Saudi Arabia)
- 17-11-2016: Saudi Arabian Monetary Agency (Saudi Arabia)
- 29-11-2016: Tasnee (Saudi Arabia)
- 23-01-2017: Sadara Chemical Company (Saudi Arabia)
- 11-12-2018: Saipem (Italy)
During their last known attack – this time against the Italian oil and gas company Saipem – the actors behind Shamoon added to their arsenal a new toolkit designed to spread the malware in the network which was attacked, as well as a new wiper. This is analyzed deeper in our report. This happened back in December 2018 – therefore this post provides a retrospective overview, our thoughts and some relevant references too.
Overview and thoughts
The threat actors added several tools written in .NET to the previously identified Disttrack wiper, also known simply as Shamoon. The purpose of these tools is to propagate the attack from an initial compromised system to the rest of the network. They were compiled between the 8th and 9th of December of 2018 and analyzed in VirusTotal on the 12th of December possibly by the targeted company, Saipem.
OCLC allows the attack to be launched manually against a series of systems specified in its configuration files. It executes the SPREADER in order to propagate the malware to the configured remote systems. Finally, a new wiper based on an open source project has been spotted operating completely at user level, without the use of any driver, and with the functionality of removing files from disk.
On this occasion, the tool used to remove the information from the attacked systems is a modified version of the open source project SuperDelete. Once again, these actors use third-party code to implement the most complex part of their wiper. The rest of the code used in the toolkit presents little complexity, with a messy programming style that does not match with what we would expect to see in a malware created by a state-sponsored group.
It is also important to highlight that the component used to propagate the malware through the target’s internal network does not use credentials or any type of privilege escalation. This suggests that the attacker already has privileged access to the system from which the attack is launched. Besides that, this component uses as argument a text file that contains a list of systems to attack, each one identified with its operating system. Everything seems to indicate that there was an initial phase of identification and compromise of the attacked network. This matches with the previous campaigns in which Shamoon has used hardcoded credentials inside the malware body, likely obtained during a phase before the final attack. Once the internal network is compromised, sabotage can be carried out without the need of complex development.
The threat group behind Shamoon remains largely shrouded in mystery. What appears to be a thoughtful and deliberate group, they’ve only deployed their destructive wiper in three known campaigns. On each occasion, those behind Shamoon have targeted entities in the Middle East, with a particular focus on Saudi Arabia.
Shamoon’s prolonged yet consistent targeting of Saudi Arabia – coupled with some of the images the group has left on victim machines like the image of an American flag on fire, the image of Alan Kurdi on previous Disttrack versions, or the ASCII art used on this occasion – have led some analyst to hypothesize that the group has links to the Iranian government. It is important to note, however, that non-Saudi companies have been impacted by Shamoon as well: RasGas is Qatari, Saipem is an Italian company with a Middle Eastern presence, and an unidentified heavy engineering company in the UAE was also a victim of the December 2018 attacks.
Multiple researchers have highlighted potential overlap between the Shamoon threat actors and Iranian-sponsored APT33. In December 2018, researchers at Symantec revealed that one of the victims of Shamoon’s third campaign had been previously infected by APT33’s StoneDrill malware, raising the possibility of cooperation or coordination between the two groups.
Similarly, researchers at McAfee published analysis following the December 2018 attacks also linking Shamoon to APT33 (or, interestingly, “a group masquerading as APT33”). Despite these claims, McAfee refers only vaguely to shared TTPs and domains linking the two groups. It’s unclear what evidence McAfee is basing these claims off of.
Other researchers still have indicated that possibility of a link between APT34 (aka Greenbug) and Shamoon threat actors. In January 2017, Symantec found that “[APT34] compromised at least one administrator computer within a Shamoon-targeted organization’s network.” APT34 is likewise believed to be linked to Iran.
Blueliv analysts cannot independently verify the analysis conducted by Symantec or McAfee. Blueliv analysts assess that there is a realistic possibility that the Shamoon wiper may be deployed again in the future against targets with a presence in the Middle East.
This blog post was authored by Oscar Gallego and supported by others on the Blueliv Labs team.