Shamoon Malware from 2016-2017 Evolved With File Wiping Capability
McAfee, the Intel subsidiary antimalware vendor has recently disclosed the evolution of the Shamoon malware, with Europe and the Middle East as the two most infected regions. The newer version of Shamoon has an added capability of wiping files off the hard drives, making the new variant very damaging for the victims. Just like other complex malware of this generation, Shamoon’s new variant is not just a 1-file malware, but comes with a modular layout of related files, as per McAfee are the following:
- OCLC.exe: Used to read a list of targeted computers created by the attackers. This tool is responsible to run the second tool, spreader.exe, with the list of each targeted machine.
- Spreader.exe: Used to spread the file eraser in each machine previously set. It also gets information about the OS version.
- SpreaderPsexec.exe: Similar to spreader.exe but uses psexec.exe to remotely execute the wiper.
- SlHost.exe: The new wiper, which browses the targeted system and deletes every file.
Even with the complexity of Shamoon, its behavior was understood by McAfee relatively quick since the malware was developed under .Net Framework, a toolkit that is very well known and understood by the developer community. From the attack pattern of the malware, it can be concluded that the virus author’s goal is to focus its attention on oil-exporting countries, which are mostly in the Middle East. With the use of Powershell, the next generation command-line scripting utility in Windows, the malware executes Powershell scripts it downloaded from the command and control servers, which includes capturing user credentials and identification of the Windows Active Directory domain where the PC is a member of.
“Using the ‘toolkit’ approach, the attackers can spread the wiper module through the victims’ networks. The wiper is not obfuscated and is written in .Net code, unlike the Shamoon Version 3 code, which is encrypted to mask its hidden features. Attributing this attack is difficult because we do not have all the pieces of the puzzle. We do see that this attack is in line with the Shamoon Version 2 techniques. Political statements have been a part of every Shamoon attack. In Version 1, the image of a burning American flag was used to overwrite the files. In Version 2, the picture of a drowned Syrian boy was used, with a hint of Yemeni Arabic, referring to the conflicts in Syria and Yemen. Now we see a verse from the Quran, which might indicate that the adversary is related to another Middle Eastern conflict and wants to make a statement,” explained Thomas Roccia, McAfee Advanced Threat team’s Security Researcher.
System administrators need to check their computers, and if one of the following paths exists, it may mean the presence of Shamoon infection:
- C:\WindowsSystem32Program FilesInternet ExplorerSigning
Shamoon guarantees itself to run in the background every time Windows starts as the following commands are run during the first instance of infection:
- cmd.exe /c “”C:Program FilesInternet ExplorersigninMaintenaceSrv32.bat
- cmd.exe /c “ping -n 30 127.0.0.1 >nul && sc config MaintenaceSrv binpath= C:windowssystem32MaintenaceSrv64.exe LocalService” && ping -n 10 127.0.0.1 >nul && sc start MaintenaceSrv
- MaintenaceSrv32.exe LocalService
- cmd.exe /c “”C:Program FilesInternet ExplorersigninMaintenaceSrv32.bat ” “
- MaintenaceSrv32.exe service