Shamoon data-wiping malware believed to be the work of Iranian hackers
A spate of recent attacks involving the Shamoon data-wiper malware family has been attributed to the Iranian hacking group APT33.
On Wednesday, the McAfee Advanced Threat Research team said APT33 — or a group masquerading as APT33 — is likely responsible for a recent campaign which targeted industrial players in the Middle East and Europe.
It was earlier this month that ZDNet learned of the Shamoon malware’s presence on Italian oil and gas contractor Saipem’s networks. The company operates across the Middle East, India, Italy, and Scotland.
McAfee said in a blog post that recent Shamoon-based campaigns have been detected not only targeting companies directly but has also been used in supply chain attacks.
Shamoon is an extremely destructive malware designed to wipe infected systems by overwriting information with garbage data.
Two versions of the malware have been recorded in past years. The earliest incident involving Shamoon took place in 2012 against the Saudi Aramco oil company — leading to the wipe of at least 30,000 PCs — whereas over 2016 and 2017, both an upgraded Shamoon v.2 wiper and the Stonedrill wiper were used.
In all of these cases, infected systems were also smeared with propaganda, including images of the burning American flag and a drowned Syrian child.
Over the past few weeks, a new variant of Shamoon has been found attacking oil, gas, energy, telecom, and government organizations by way of job offer-related phishing campaigns and malicious websites which trick victims into submitting their account credentials.
The latest version of Shamoon has been revamped in a modular fashion, containing a number of different features. The new wiper samples come under the name Filerase.
Contained in the malware is a list of targeted computers, a spreader for the file eraser, code able to exfiltrate information relating to a target PC’s operating system, a remote wiper execution module, and the new wiper itself, which deletes every file found upon execution.
The wiper contains three options; running in silent mode, an always-enabled privilege escalation script, and a tracker to record the number of folders and files erased.
While the latest version of Shamoon is heavily encrypted, the packaged .Net toolkit that spreads Shamoon v.3 and Filerase has not been awarded such protection. After reverse engineering the package, which was not obfuscated, the researchers found the following ASCII art which resembles Arabic text from the Quran translated as “perish the hands of the Father of flame” or “the power of Abu Lahab will perish, and he will perish.”
McAfee believes that multiple developers were involved in the latest Shamoon campaign, which was “prepared months in advance [..] with the wiper execution as the goal.”
“Attributing this attack is difficult because we do not have all the pieces of the puzzle,” McAfee says. “We do see that this attack is in line with the Shamoon v.2 techniques. Political statements have been a part of every Shamoon attack. […] Now we see a verse from the Quran, which might indicate that the adversary is related to another Middle Eastern conflict and wants to make a statement.”
It is certainly possible that Iranian hackers could be at the root of the matter, especially considering the recent political tensions between the country and the United States. President Trump announced the withdrawal of the US from the 2015 nuclear deal, established by the Obama Administration, back in May.
TechRepublic: 5 biggest security vulnerabilities of 2018
While many cyberattacks attributed to Iran have focused in past years on the Middle East, simmering political tensions have raised speculation that their gaze may turn towards the US in future campaigns.
FireEye was among the first to track APT33, which has previously been attributed to attacks in both military and commercial aerospace across the US, Saudi Arabia, and South Korea. Associated malware beyond Shamoon includes Shapeshift, Dropshot, Nanocore, and Alfa Shell.