Shamoon Rebooted?

By and on

We have recently received notifications and samples from impacted organizations in the Middle East that have hallmarks of the Shamoon campaign from 2012. The main component of these attacks was the usage of a wiper component that, once activated, destroyed the hard disks of infected machines.

The initial infection vector for the recent attacks is unknown. Analyzing the submitted files, we started to recognize similar tactics and procedures that we discovered in 2012.

When the initial executable is run, it creates a copy of itself in the %SystemRoot%\System32 folder using the name trksrv.exe and starts itself as a new service.

After the trksvr service has starts, it drops files, in either a 32- or 64-bit version, depending on the system of the victim. Reverse engineering one of the binaries, we discovered the following random-name examples that could be used for these 32- or 64-bit binaries:

  • ntdsutl.exe
  • power.exe
  • rdsadmin.exe
  • regsys.exe
  • sigver.exe
  • routeman.exe
  • ntnw.exe
  • netx.exe
  • fsutl.exe
  • extract.exe

Some of these filenames are the same as those used in the first Shamoon attack; other filenames are new.

This dropped executable is the wiper module and is responsible for overwriting various files on the hard disk and also the master boot record and boot sector.

The wiper module also drops the file drdisk.sys, which is a standard component from a commercial application (Eldos) that allows programs low-level access to hard disk drives. This driver was used in the first Shamoon attack, and again in this new campaign.

The wiper module initiates an enumeration of files on the victim’s disk and writes the results to a file with the extension “.pnf,” the file that the wiper module will use as an input for which files to wipe.

We are continuing our investigation into this campaign, and intend to publish further analyses.

McAfee Labs detects samples with the following names:

  • W32/DistTrack
  • Artemis detection
  • DistTrack!sys
  • Trojan-FKIQ![hash]
  • Trojan-FKIR![hash]

 

 

Categories: McAfee Labs
Tags: , ,

Leave a Comment

Similar articles

Sports fans everywhere look forward to mid-March for the NCAA men’s college basketball tournament. However, it’s not just college basketball fans that look forward to this time of year. Cybercriminals use March to launch malicious campaigns in the hopes of gaining access to personal information from unsuspecting fans. Let’s take a look at the most ...
Read Blog
The risk to your family's healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed. That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From ...
Read Blog