Shamoon 2 Resurfaces to Target Organizations in Saudi Arabia

A variant of the Shamoon virus has resurfaced to target Saudi Arabian organizations nearly five years after it was first detected in 2012.

According to US-CERT, Shamoon, also known as W32.DistTrack, is information-stealing malware that also wipes data and disables infected systems. Last week, an alert was issued by the Saudi telecom authority warning that attacks on the Saudi labor ministry and a chemical company were caused by the malware variant known as Shamoon 2.

In August 2012, the original Shamoon affected several energy companies in the Middle East including over 30,000 systems at Saudi Aramco, a state-run oil company in Saudi Arabia. Shamoon spread through Saudi Aramco’s network, sending data gathered from one Windows computer and to other infected computers on the network before the destructive module of Shamoon wiped the data from the systems, rewriting the Master Boot Record with an image of a burning American flag. The infected system would be unable to start up, making it unusable.

The new variant being called Shamoon 2 first emerged in November 2016 and again targeted energy companies in Saudi Arabia. This new variant appears to be similar to the original Shamoon with few changes. One key difference is the presence of user and administrator account information that includes passwords that were hardcoded into the malware. There is also a change in the image used to overwrite data. The original JPEG  image of the burning American flag has been replaced in the newer Shamoon attacks by a photo of the body of Alan Kurdi, the three-year old Syrian refugee who drowned when the boat he was aboard capsized enroute to Europe.

The subject matter of both images suggest the malware was motivated by political factors and that the companies were specifically targeted in retaliation for their connections to the US or Europe. The presence of account credentials indicates that the malware was created to target specific companies. The recently targeted Sadara Chemical Co., that reported network disruption last week, is jointly owned by Dow Chemical and Saudi Aramco, a company that was targeted in the original wave of Shamoon attacks.

The cybersecurity firm CrowdStrike alleges that the perpetrators of both variants were working in the interests of the Iranian government.

UPDATE, 2/6/17: Shamoon 2 has now affected 15 Saudi government agencies and private companies.

Sources:

Infosecurity Magazine. https://www.infosecurity-magazine.com/news/saudi-arabia-issues-shamoon-2-alert/

Reuters. http://www.reuters.com/article/us-saudi-cyber-idUSKBN1571ZR

Security Affairs. http://securityaffairs.co/wordpress/55634/cyber-crime/shamoon-2-greenbug.html

http://securityaffairs.co/wordpress/53951/cyber-crime/the-shamoon-disk-wiper-malware-returns-in-new-attacks.html

Palo Alto.  http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/

Tripwire. https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/second-wave-shamoon-2-disttrack-can-now-wipe-organizations-vdi-snapshots/

https://www.tripwire.com/state-of-security/featured/the-shamoon-v2-saga-continues/

CrowdStrike. https://www.crowdstrike.com/blog/shamoon2/

Symantec. https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever

ICS-CERT. https://ics-cert.us-cert.gov/jsar/JSAR-12-241-01B