Research: Furtive Malware Rises Again

Shamoon Timeline

The Shamoon malware, also known as Disttrack, surfaced for the first time back in 2012 targeting Middle East Oil companies. It leveraged stolen credentials to gain access, and then exhibited worm-like behavior to spread throughout the entire targeted network. All Shamoon attacks were clearly very carefully planned beforehand, as the attackers had to gain access to legitimate credentials before launching the attack.

While most modern malware are focused on monetizing through any way possible, from bitcoin mining to the current trend of high-profile ransomware, Shamoon was not keen about the dough. Instead, this is believed to be a hacktivist attack.

Allegedly, the author of this malware is the hacker group called “Cutting Sword of Justice,” who claimed responsibility for the attack that rendered 30,000 computers unusable.

This attack was designed to break in, infect machines, and then clean its tracks. It also stole information from certain files and sent it back to its command and control center, probably so the author could verify that his attack was successful.

Once a device was infected, Shamoon proceeded to gain write privileges to the master boot record and then overwriting the content of critical files with JPEG images data, making the machine completely unusable. The original JPEG file used was a picture of a burning USA flag.

Soon after its debut, and the high-profile destruction of tens of thousands of computers, Shamoon went dormant. But now, four years later, a new attack was pictulaunched using an upgraded version of the malware.  And guess who the target was?

You bet. Middle Eastern companies again, Saudi Arabia again. And this attack was just as well planned as the previous attack. It took place on Thursday, November 17, 2016, at 20:45, the end of the work week in Saudi Arabia. Theoretically, the date was selected so the malware would have time to spread over the weekend with less possibility that someone would spot its activity. This is just one of the many features shared between this and the previous attack four years ago.

X-Ray of the Malware

We can confirm that current modifications of the DistTrack are almost identical to the samples used back in the 2012. This is a multi-component malware with ability to propagate itself via local network. The malicious functions of its components are listed below.

Dropper:

1. We have found x32 and x64 modifications of the Dropper. All of these samples include a compilation timestamp of 2009-02-15, with a variety of times all around 12:32 PM. These times are obviously bogus, since every version of Droppers we have investigated include an embedded, encrypted image of Alan Kurdi, who died on 2015-09-02.

2. Variant Modifications: The version of this malware that was uploaded on Virus Total on 2016-12-02 has a bogus Microsoft signature in the file overlay. This signature was ripped from one of the Sysinternals tools, and the checksum of the file did not match.

 

Picture 1: Bogus Microsoft signature in the end of Disttrack dropper

3. This Dropper contains other malicious components, which are masked as bitmap resources PKCS12, PKCS7, and X509. These components are also encrypted with a simple XOR algorithm.

 

Picture 2: Embedded resources of the Disttrack dropper

4. After starting, the dropper creates a service with the following parameters:

Service name:          “NtsSrv”

Display name:          “Microsoft Network Realtime Inspection Service”

Description:             “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols”

Path to executable: “Dropper_name.exe LocalService”

For additional persistence in the system dropper is also makes a service “Workstation” dependable from the new malicious service.

5. After that, Dropper starts the newly created service and ends its own process. From that point on it works as a service. It also checks for the parameter “LocalService” to ensure that it is running as service.

6. Next, Dropper starts to unpack other components. First, it unpacks a RawDisk license key and drops it as “%SYSTEMROOT% \Temp\key8854321.pub.” This license key is required for Shamoon’s Wiper functionality to use the RawDisk commercial disk driver to access the system hard drive. More details are provided in the Wiper details section, below.

7. Dropper then checks the system time, and if it is more than a certain value it will drop and execute its “Wiper” component. The functional of the Wiper is discussed in more detail below. The name for the Wiper component is pseudo-randomly chosen from the following list of the names:

caclsrv.exe

certutl.exe

clean.exe

ctrl.exe

dfrag.exe

dnslookup.exe

dvdquery.exe

event.exe

findfile.exe

gpget.exe

ipsecure.exe

iissrv.exe

msinit.exe

ntfrsutil.exe

ntdsutl.exe

power.exe

rdsadmin.exe

regsys.exe

sigver.exe

routeman.exe

rrasrv.exe

sacses.exe

sfmsc.exe

smbinit.exe

wcscript.exe

ntnw.exe

netx.exe

fsutl.exe

extract.exe

 

8. Dropper then drops and launches its communication component. This component always has a static name:

C:\Windows\System32\netinit.exe

The Dropper starts it with the parameter of “1”.

Picture 4: request to the nonexistent domain “server”

This is another confirmation that this malware was created with purely destructive purposes.

9. Propagation: The Dropper tries to connect to the IP addresses from the current subnet /24. It then tries to open common system files from the system32 folder. If successful, the dropper will try to copy itself to the remote system and then run remote service or schedule a remote job. The name of the malware is chosen from the same name list shown in point 7, above. It then installs Dropper as a service similar to the machine of the initial infection

 

To connect to other computers in the network, Dropper uses hardcoded credentials from its body:

Picture 5: part of the credentials used for network propagation

 

Note: How the criminals obtain these credentials is currently unknown.

Wiper:

1. The Wiper component unpacks a special driver from its body that it uses to gain direct access to the system hard disk. It uses the RawDisk Driver from EldoS Corporation.

Note: This is a legitimate driver from a commercial software company, and is not malicious by itself. More information on this driver can be found here.

2. The RawDisk Driver requires a license for use. The Wiper component uses the file “%SYSTEMROOT%\Temp\key8854321.pub”, which was saved by the Dropper before. Wiper also changes system date to a random date between the period of 2012-08-01 and 2012-08-20 to match the license validity time.

3. The Wiper then tries to rewrite the hard disk’s partition tables, making a boot of the system impossible. In our lab analysis, the attack was successful on x86 systems but not successful on x64 systems.

 

Picture 6: successful overwriting partition table by Disttrack on Windows XP x86.

4.    Besides overwriting the partitions table, Wiper also tries to overwrite files with a 19KB JPEG image of the drowned Syrian refugee child, Alan Kurdi:

 

Picture 7 and 8 : new content of overwritten files (obscured), actual overwritten photo

 

Fortinet protections to date

Based on our analysis, we have determined that the Fortinet Security Fabric would have easily spotted the initial Shamoon infection, and could have also used the information from the infection itself to restore the network to its previous, safe state.  In addition, from the moment the malware started spreading through the infrastructure and changing every machine’s device driver, FortiSIEM, with its pervasive view of the entire infrastructure, including the targeted endpoints, would have identified that the network was exhibiting very unusual activity and would have flagged it for review. 

Fortinet Detection:

Currently all found samples of DistTrack are detected by these records:

W32/DISTTRACK.C!tr

W32/Generic.BQYIIWO!tr

W64/DistTrack.A!tr

Malware_Generic.P0

IPS:         

DistTrack.Botnet

 

Indicators of Compromise:

Malicious Components:

128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd

394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b

448ad1bc06ea26f4709159f72ed70ca199ff2176182619afa03435d38cd53237

47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34

61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842

772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5

c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a

 

EldoS RawDisk Components:

4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6

5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a

 

Malicious service attributes:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtsSrv

Description = "Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols"

Display name = “Microsoft Network Realtime Inspection Service”

 

Filesystem artifacts:

                  C:\Windows\Temp\key8854321.pub

                  C:\Windows\System32\drivers\drdisk.sys

                  C:\Windows\inf\netimm173.pnf

 

Possible names of the malware in %SYSTEMROOT%\System32 folder:

caclsrv.exe

certutl.exe

clean.exe

ctrl.exe

dfrag.exe

dnslookup.exe

dvdquery.exe

event.exe

findfile.exe

gpget.exe

ipsecure.exe

iissrv.exe

msinit.exe

ntfrsutil.exe

ntdsutl.exe

power.exe

rdsadmin.exe

regsys.exe

sigver.exe

routeman.exe

rrasrv.exe

sacses.exe

sfmsc.exe

smbinit.exe

wcscript.exe

ntnw.exe

netx.exe

fsutl.exe

extract.exe