The Shamoon malware, also known as Disttrack, surfaced for the first time back in 2012 targeting Middle East Oil companies. It leveraged stolen credentials to gain access, and then exhibited worm-like behavior to spread throughout the entire targeted network. All Shamoon attacks were clearly very carefully planned beforehand, as the attackers had to gain access to legitimate credentials before launching the attack.
While most modern malware are focused on monetizing through any way possible, from bitcoin mining to the current trend of high-profile ransomware, Shamoon was not keen about the dough. Instead, this is believed to be a hacktivist attack.
Allegedly, the author of this malware is the hacker group called “Cutting Sword of Justice,” who claimed responsibility for the attack that rendered 30,000 computers unusable.
This attack was designed to break in, infect machines, and then clean its tracks. It also stole information from certain files and sent it back to its command and control center, probably so the author could verify that his attack was successful.
Once a device was infected, Shamoon proceeded to gain write privileges to the master boot record and then overwriting the content of critical files with JPEG images data, making the machine completely unusable. The original JPEG file used was a picture of a burning USA flag.
Soon after its debut, and the high-profile destruction of tens of thousands of computers, Shamoon went dormant. But now, four years later, a new attack was pictulaunched using an upgraded version of the malware. And guess who the target was?
You bet. Middle Eastern companies again, Saudi Arabia again. And this attack was just as well planned as the previous attack. It took place on Thursday, November 17, 2016, at 20:45, the end of the work week in Saudi Arabia. Theoretically, the date was selected so the malware would have time to spread over the weekend with less possibility that someone would spot its activity. This is just one of the many features shared between this and the previous attack four years ago.
X-Ray of the Malware
We can confirm that current modifications of the DistTrack are almost identical to the samples used back in the 2012. This is a multi-component malware with ability to propagate itself via local network. The malicious functions of its components are listed below.
Picture 1: Bogus Microsoft signature in the end of Disttrack dropper
Picture 2: Embedded resources of the Disttrack dropper
Service name: “NtsSrv”
Display name: “Microsoft Network Realtime Inspection Service”
Description: “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols”
Path to executable: “Dropper_name.exe LocalService”
For additional persistence in the system dropper is also makes a service “Workstation” dependable from the new malicious service.
The Dropper starts it with the parameter of “1”.
Picture 4: request to the nonexistent domain “server”
This is another confirmation that this malware was created with purely destructive purposes.
To connect to other computers in the network, Dropper uses hardcoded credentials from its body:
Picture 5: part of the credentials used for network propagation
Note: How the criminals obtain these credentials is currently unknown.
Note: This is a legitimate driver from a commercial software company, and is not malicious by itself. More information on this driver can be found here.
Picture 6: successful overwriting partition table by Disttrack on Windows XP x86.
4. Besides overwriting the partitions table, Wiper also tries to overwrite files with a 19KB JPEG image of the drowned Syrian refugee child, Alan Kurdi:
Picture 7 and 8 : new content of overwritten files (obscured), actual overwritten photo
Fortinet protections to date
Based on our analysis, we have determined that the Fortinet Security Fabric would have easily spotted the initial Shamoon infection, and could have also used the information from the infection itself to restore the network to its previous, safe state. In addition, from the moment the malware started spreading through the infrastructure and changing every machine’s device driver, FortiSIEM, with its pervasive view of the entire infrastructure, including the targeted endpoints, would have identified that the network was exhibiting very unusual activity and would have flagged it for review.
Currently all found samples of DistTrack are detected by these records:
Indicators of Compromise:
EldoS RawDisk Components:
Malicious service attributes:
Description = "Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols"
Display name = “Microsoft Network Realtime Inspection Service”
Possible names of the malware in %SYSTEMROOT%\System32 folder: