cybersecurity, protection

Shamoon wiper malware on the rise again

Saipem revealed they had been a victim of cyber attack. This Italian subsea engineering and construction firm operating in more than 60 countries, revealed this information during their Monday (10th December) press release. The attack infected up to 100 personal computers and around 400 servers based in the Middle East, India, Aberdeen and in a limited way - Italy. According to the company, no data has been lost, as the affected devices were fully backed up and operations are currently being restored.

The “culprit” of this attack is believed to be a new variant of a highly destructive Disttrack worm, or more commonly Shamoon malware. Previous iterations of Shamoon were used in some of the most damaging cyber attacks in history. In 2012 it infected tens of thousands of computers at two Middle East companies - Saudi Aramco and RasGas Co Ltd. It went silent for a few years and attacked again in 2016 and 2017 - among main victims were such Saudi Arabia companies as: Central Bank, Electric Company and General Authority of Civil Aviation.

Disttrack/Shamoon is a wiper malware, meaning it overwrites files stored in the attacked system and infects its master boot record (MBR), rendering the system unusable. First version replaced files with an image of a burning flag, and the second version - an image of a refugee. The newest version of Shamoon doesn’t use any images and irreversibly overrides the files, partitions and MBR with randomly generated data. Also unlike its predecessors it doesn’t spread the infection - perhaps this is a “test version” of the new iteration and the actual version will appear in the future.

The infection begins with a Disttrack dropper, which contains three modules: communications, wiper and a x64 variant of itself, which is used after determining the system’s architecture is x64. The dropper installs itself by creating a MaintenanceSrv service, then, choosing random names for communications and wiper, installs them on the system on which it was executed. After completing the wiping, the dropper reboots the system, which is rendered unusable, as important system locations and files were overwritten with random data.

All users, and especially businesses are recommended to secure their online premises; this can be achieved with the following:

  • regular patching and updating of all the systems to stop exploit kits from targeting vulnerabilities,
  • creating back-ups on regular basis (preferably also stored offline),
  • employing multi-layered security mechanisms with application control (stops suspicious executables and anomalous modifications), next generation firewall and intrusion prevention and detection systems, among others. Veronym Services offer exactly the above solutions and more to effectively protect users from known and unknown threats.

For more in-depth information about the specifics of this new iteration of Disttrack/Shamoon wiper, look up our partner’s Palo Alto Networks articles from their research centre (Unit42):

https://researchcenter.paloaltonetworks.com/2018/12/shamoon-3-targets-oil-gas-organization/

https://unit42.paloaltonetworks.com/shamoon-3-modified-open-source-wiper-contains-verse-from-the-quran/

Author image

About Radoslaw Wal

CTO at Veronym, cybersecurity veteran focusing on IT Security. Currently dedicated to helping small and medium companies protect their IT infrastructure by providing security as a service.

Prevention, not detection

According to a report published by Cisco Systems, statistically, companies are attacked more than 8,3 thousand times during their lifetime. Unfortunately, many of these attacks turn out to be successful, although we learn from media sources only about the most spectacular ones.