Vin Ransomware Blog02

The destructive Shamoon malware campaign again returns in January 2017 targeting several Saudi organizations. The Shamoon malware first detected in 2012, wiping the data on over 30,000 computer systems and rewriting the hard drive Master Boot Record with a picture of a burning US flag.
 
Per Symantec, the threat actors behind Shamoon are Green bug cyber espionage group stated. The other speculation is that this could be work of Iranian state sponsored hackers. The main attack vector used by this group is through specially crafted email. The Greenbug group aiming a range of organizations in the Middle East including companies in the Chemical, Aviation, Banks and Government sectors. This particular threat uses the Trojan.Ismdoor  Trojan (Remote Access Trojan) and also variety of other tools to steal sensitive credentials from compromised organizations. The Shamoon attacks revealed a new strategy involving the malware using account credentials which is hardcoded specific to the targeted organization.

The Trojan.Ismdoor is able to steal sensitive credentials from the targeted organizations and have found a backdoor which is using power shell script to collect information from the targeted computer system and writes to a temporary file.


shamoon2 1

Figure 1 - The above picture shows the commands used by Shamoon2 to collect various sensitive information

shamoon2 2

Figure 2- The above picture shows the commands used by Shamoon2 to collect various sensitive information

shamoon2 3

Figure 3- The above picture shows the commands used by Shamoon2 to collect various sensitive information

Files Accessed

The following are the list of files that the Shamoon malware accesses, writes and removes.

C:\Documents and Settings\student\Local Settings\Application Data\Microsoft\Windows\Tmp98871 - accessed
C:\Documents and Settings\student\Local Settings\Application Data\Microsoft\Windows\Tmp98871 - written
C:\Documents and Settings\student\Local Settings\Application Data\Microsoft\Windows\tmp43hh11.txt – removed

Possible credential database file - PDB file

shamoon2 4

 

Figure 4 - Presence of Portable Database

This Shamoon2.Jan2017 variant is using hardcoded username and password (that was stolen before) to access the computer for infection. The ‘.pdb’ extension is portable database extension. We guess that the stolen credentials are stored in this ‘.pdb’ files.

Also, we assume that most people affected by this malware must be using windows system.

shamoon2 5
Figure 5 - The above picture shows that Shamoon2 verifies the stolen credentials with the victim machine

Now what does this “...\WinHttp\Passport Test” means is that ‘WinHttp’ provides platform support for Microsoft Passport by implementing the client-side protocol for Passport authentication. It frees applications from the details of interacting with the Passport infrastructure and the Stored User Names and Passwords in Windows. This abstraction makes using Passport no different from a developer's perspective than using traditional authentication schemes like Basic or Digest.

Dropped Files

The following are the files that are dropped by the Shamoon2 malware.

5e81a96cdf57aedb_tmp98871
c6ed7eb6d964fb68_tmp98871
e3b0c44298fc1c14_tmp43hh11.txt

Indicators of Compromise – SHA256 hash values

319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6c
7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c
6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d
010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb

Conclusion

This analysis highlights the important aspects of the Shamoon2.Jan17 malware. A detailed threat analysis of Shamoon 2.0 is updated here.