CYBER NEWS

Opstandelsen af ​​Shamoon Wiper Malware

malware-header-stforum

De kommende vinterferie lyse frem ikke kun nye cyber trusler, men også gamle malware stykker. Det er netop tilfældet med Shamoon malware som tilsyneladende er vendt tilbage til malware scene efter en fireårig ferie. Reports from security companies Symantec and Palo Alto reveal details about its resurrection.


Shamoon Targets Saudi Companies Once Again

Shamoon, a.k.a. Disstrack blev oprindeligt opdaget omkring fire år siden i angreb på Saudi Oil Company Aramco. Hensigten var at udslette tusindvis af computere.

Denne gang omkring, the malware is targeting another Saudi organization, which hasn’t been revealed yet. And its agenda is not just wiping companies’ machines but also overwriting their Master Boot Records with the image of Aylan Kurdi’s corpse. Angrebet fandt sted på November 17 which is a Muslim holiday. Angriberne sandsynligvis valgte denne dato at omgå sikkerhedsforanstaltninger.

Relaterede: Hvor nemt det er at hacke en organisation

Tilsyneladende, Shamoon had a list of hardcoded logins, which allowed the malware to perform its malicious activities quicker. This also means that the targeted company had already been breached. Ifølge Palo Alto, the attackers could be the same ones from Shamoon’s initial campaigns four years ago.

“The current attack campaign has several TTP overlaps with the original Shamoon campaign, especially from a targeting and timing perspective.”

“Disttrack malware used in the recent attacks is very similar to the variant used in the 2012 angreb, which uses the exact same RawDisk device driver as well.”


Shamoon/ Disttrack Malware Technical Overview

Palo Alto explains that the malware is comprised of three distinct parts:

  • Dropper;
  • Kommunikation;
  • Wiper components.

Relaterede: Privilegerede brugere er de farligste i en organisation, Security Survey Says

The main executable is a dropper deployed to extract additional tools from embedded resources. It’s also used to coordinate when to save and execute them.

Embedded within each Disttrack sample is a component responsible for communicating with a C2 server and a separate component used to carry out the wiping functionality.

The malware’s main purpose is data destruction, thus attempting to damage as many systems as possible. That’s why it tries to spread to other systems on the network via stolen admin credentials. Som påpeget af forskerne, this is a tactic quite similar to the one deployed in the 2012 angreb.

Disttrack/ Shamoon is also capable of downloading and executing additional apps to targeted systems, and remotely setting the date to start wiping systems.


Why Are Attackers Using Wiper Malware?

The purpose of this type of malware is, åbenbart, not financial gain. These types of attacks are mainly deployed to cause chaos in an organization, and could be linked to hacktivist groups or politically-engaged attackers. They could also be used to destroy evidence or cover tracks of data exfiltration.

Milena Dimitrova

Milena Dimitrova

En inspireret forfatter og indhold leder, der har været med SensorsTechForum siden begyndelsen. Fokuseret på brugernes privatliv og malware udvikling, hun tror stærkt på en verden, hvor cybersikkerhed spiller en central rolle. Hvis almindelig sund fornuft giver ingen mening, hun vil være der til at tage noter. Disse noter senere kan blive til artikler! Følg Milena @Milenyim

Flere indlæg

Følg mig:
Twitter

Efterlad en kommentar

Din e-mail-adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Frist er opbrugt. Venligst genindlæse CAPTCHA.

Bliv hængende
Tilmeld dig vores nyhedsbrev om de nyeste cybersikkerhed og tech-relaterede nyheder.