Vin Ransomware Blog02

New malware Shamoon variant targeted Oil and Gas sectors in the middle east

New malware Shamoon variant targeted Oil and Gas sectors in the middle east

Update: Shamoon Detection tool has been updated to detect the latest December 10, 2018 variant of the Shamoon3 variant. (Click here to Download Shamoon3 Updated Detector)

 

The harmful wave of Shamoon hits for the third time against oil and gas organizations targeting the Middle East. The first hit of Shamoon was observed in 2012 which affected and wiped more than 30,000 systems at Saudi Aramco and the other oil companies in the Middle East. The second hit of Shamoon, namely Shamoon2, was detected in late 2016 targeting a single organization in Saudi Arabia. The second variant of Shamoon 2, was found to wipe out all the data. The name given to the third wave of Shamoon is a new variant of dropper component of Shamoon 2 and known as Shamoon 3. Prior Shamoon attacks include overwriting the documents, pictures, videos, music files and wipes the Master Boot Record (MBR) and replaces with a burning flag image.

Shamoon 3 includes the MBR overwriting method. It also includes the functionality of irreversibly encrypting the files. The main difference observed from older Shamoon and the new variant is that they do not contain any set of hard-coded domain credentials specific to the target organization to steal the credentials. Researchers have found that Shamoon 3, contains the longer filename list that is used for selecting the name for dropped executable name.

Please follow this document to know more about the IOC and the recommendations to follow regarding Shamoon3.

 

Modules in Shamoon 3

Dropper

Shamoon 3 attack begins with a dropper that is intended for installing the communications and a wiper module to the system.
The Dropper selects a random name during the installation of communications and the wiper modules. The communications module will take one of the following filenames along with the .exe extensions.

• netnbdrve
• prnod802
• netrndiscnt
• netrtl42l
• mdmadccnt
• prnca00
• bth2bht_ibv32
• cxfalcon_ibL32
• mdmsupr30
• digitalmediadevicectl
• mdmetech2dmv
• netb57vxx
• winwsdprint
• prnkwy005
• composite005
• mdmar1_ibv32
• prnle444
• kscaptur_ibv32
• mdmzyxlga
• usbvideob
• input_ibv48
• prnok002_ibv
• averfx2swtvZ
• wpdmtp_ibv32
• mdmti_ibv32
• printupg_ibv32
• wiabr788


Wiper

Wiper module that is installed by the Dropper is responsible for overwriting the data within the MBR, partitions and files in the system. The wiper module will take one of the following filenames along with the .exe extensions.

• _wialx002
• __wiaca00a
• tsprint_ibv
• acpipmi2z
• prnlx00ctl
• prngt6_4
• arcx6u0
• _tdibth
• prncaz90x
• mdmgcs_8
• mdmusrk1g5
• netbxndxlg2
• prnsv0_56
• af0038bdax
• averfix2h826d_noaverir
• megasasop
• hidirkbdmvs2
vsmxraid
• mdamx_5560
• wiacnt7001
• _wialx002
• __wiaca00a
• tsprint_ibv
• acpipmi2z
• prnlx00ctl
• prngt6_4
• arcx6u0

Communications

Communications module that is installed by the Dropper is responsible for communicating with the Command and Control Server URL using a User Agent.

Indicators of Compromise

SHA 256 Hashes
c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f
0975eb436fb4adb9077c8e99ea6d34746807bc83a228b17d321d14dfbbe80b03
0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe
391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c
6985ef5809d0789eeff623cd2436534b818fd2843f09fa2de2b4a6e2c0e1a879
ccb1209122085bed5bded3f923835a65d3cc1071f7e4ad52bc5cf42057dd2150
dab3308ab60d0d8acb3611bf364e81b63cfb6b4c1783864ebc515297e2297589
bc4513e1ea20e11d00cfc6ce899836e4f18e4b5f5beee52e0ea9942adb78fc70
bd2097055380b96c62f39e1160d260122551fa50d1eccdc70390958af56ac003
89850b5f6e06db3965d0fdf8681bc6e55d3b572c97351190c247b9c8b1419850
36c61c5f72821ce529a1ae9be80c15b9764f03592db1aa82b513dc7cf66bf5f3
5bdc889dcd5aab722c6afbf5fac31a8b794413427bafec04ed14eb4a6abad37b
0e2924fecab65830087c90d4a91cc778720763f63b13f99084dc42a2eca126a3
bfdff66923d6ed70d2c3e9576e9bd048e83b6fcbe307b5648724e32f83d4d3de

Malicious Domains

• 44-easypaper.org
• book-library.org
• browsersversion.com
• cloudpackages.net
• times-sync.com

Malicious Hostnames

• 104.27.138.44-easypaper.org

Malicious URLs

http://CloudPackages.net:443/api/info
https://103.236.149.100/api/info
https://BrowsersVersion.com:80
https://BrowsersVersion.com:80/?id=845480
https://times-sync.com/api/info

Recommendations for Mitigation

The system administrators and users are advised to take the following actions.

• Update the systems to the latest patch.
• Enforce the least privilege policy.
• Disable outdated plugins or components. Employ sandboxing, data categorization and network segmentation.
• Employ multilayered security mechanisms such as application control.

 

Related Blogs

Shamoon detection tool (Free Download)
Working of Shamoon 2
Detailed threat analysis of Shamoon 2.0 Malware
Quick threat analysis of Shamoon 2.0 Malware