March 29, 2017
Palo Alto Networks researchers have continued to analyze the Shamoon 2 attacks and determined that the method used by the malware to spread on the targeted organizations' networks is rudimentary, but efficient.
The latest waves of attacks involving the disk-wiping malware Shamoon, aka Disttrack, have been analyzed by several security firms. IBM reported recently that the attackers delivered Shamoon using weaponized documents, and researchers have found connections to several other Iran-linked threat actors, including Charming Kitten (aka Newscaster, NewsBeef), Rocket Kitten, Magic Hound (aka Timberworm, COBALT GYPSY), and Greenbug.
It has been known that the Shamoon 2 attacks involved stolen credentials and that the threat actors had access to the targeted organizations’ networks well before the malware initiated its destructive routines. Symantec reported that the Magic Hound and Greenbug groups may have helped conduct reconnaissance, including stealing credentials and creating persistent backdoors.
In a blog post published on Monday, Palo Alto Networks said it managed to determine exactly how the stolen credentials were used by the attackers.
According to researchers, the hackers first compromised a single system on the network using the Remote Desktop Protocol (RDP) and stolen credentials. This machine, which became their distribution server, stored the attackers’ tools and malware. From this distribution server, the attackers attempted to connect to named systems on the network using compromised credentials and infect them with the Shamoon malware.
From the named systems, the malware identified up to 256 IP addresses on the local network and spread to those devices. Then, from the newly infected systems, the malware attempted to spread to other 256 IP addresses on the local network.
Experts believe the information on named hosts was obtained directly from Active Directory on a domain controller, which also suggests that the attackers used legitimate credentials in their operations.
“This rudimentary, but effective, distribution system can enable Disttrack to propagate to additional systems from a single, initially compromised system in a semi-automated fashion,” researchers said.
Palo Alto Networks has also found more evidence linking the Shamoon attacks to the Magic Hound group. According to the security firm, one of the command and control (C&C) servers used by Magic Hound and a server hosting Shamoon files used IP addresses from the same range, namely 45.76.128.x. Another similarity is related to the use of PowerShell and Meterpreter.
Palo Alto Networks agrees with Symantec on the theory that Magic Hound may have conducted the reconnaissance phase of the Shamoon 2 attacks.