FortiGuard is currently investigating a new wave of attacks targeting Kingdom of Saudi Arabia organizations that use an updated version of the Shamoon malware (also known as DistTrack.) We described this malware in detail a few months ago in a previous article.
The key features of that version remain the same, yet some voluntary changes are taking place:
Pic 1: The header of image file used in November 2016
Pic 2: The header of image file used in January 2017.
Note: “Ducky” pattern is a legitimate string in Photoshop files.
Pic 3: Bogus compilation timestamp used in January 2017.
The reasons why the criminals started to use different images and compilation times are currently unknown. One possible explanation is that there are several groups behind these attacks. A second possible scenario is that criminals want their samples to evade detection by popular antivirus applications.
3. Credentials. Shamoon tries to propagate itself with the use of static credentials hardcoded into the body of its code. In recent analyzed samples, we discovered several new default credentials from Huawei’s FusionCube virtualization products. Shamoon can now also target both physical and virtual machines.
Pic 4: Part of hardcoded credentials used.
The biggest current mystery is how the developers initially obtained valid credentials that have been used in Shamoon attacks. FortiGuard will continue to investigate these attacks and provide updates as new information develops.
-= FortiGuard Lion Team =-
Currently all found samples of DistTrack are detected by these AV signatures:
Application Control signature:
EldoS RawDisk Components:
Possible names of the malware in %SYSTEMROOT%\System32 folder: