by RSS Artem Semenchenko  |  Jan 30, 2017  |  Filed in: Security Research

FortiGuard is currently investigating a new wave of attacks targeting Kingdom of Saudi Arabia organizations that use an updated version of the Shamoon malware (also known as DistTrack.) We described this malware in detail a few months ago in a previous article.

The key features of that version remain the same, yet some voluntary changes are taking place:

  1. Images used. Shamoon still overwrites files with an image of the drowned Syrian toddler Alan Kurdi, but this time the picture size is different. In November 2016 it was using a picture of 349x286 pixels. Now a larger image of 700x577 pixels is used. The headers of the images look different as well:

Pic 1: The header of image file used in November 2016

Pic 2: The header of image file used in January 2017.

Note: “Ducky” pattern is a legitimate string in Photoshop files.

  1. Different compilation times. In November, attack samples contained a bogus compilation date of 2009-02-15. This time, two different dates are used. All new samples contain erroneous compilation dates of either 2011-06-06 or 2011-09-15.

Pic 3: Bogus compilation timestamp used in January 2017.

The reasons why the criminals started to use different images and compilation times are currently unknown. One possible explanation is that there are several groups behind these attacks. A second possible scenario is that criminals want their samples to evade detection by popular antivirus applications.

3. Credentials. Shamoon tries to propagate itself with the use of static credentials hardcoded into the body of its code. In recent analyzed samples, we discovered several new default credentials from Huawei’s FusionCube virtualization products. Shamoon can now also target both physical and virtual machines.

Pic 4: Part of hardcoded credentials used.

The biggest current mystery is how the developers initially obtained valid credentials that have been used in Shamoon attacks. FortiGuard will continue to investigate these attacks and provide updates as new information develops.

-= FortiGuard Lion Team =-

 

Fortinet protections to date:

Currently all found samples of DistTrack are detected by these AV signatures:

Generik.DTOJYVZ!tr

Generik.DUPYZDJ!tr

Generik.MIPWJAV!tr

W32/Agent.AVCX!tr

W32/DISTTRACK.C!tr

W32/Generic!tr

W32/Generic.A!tr

W32/Generic.AC.3AD326!tr

W32/Generic.AUMG!tr

W32/Generic.BQYIIWO!tr

W32/Generic.C!tr

W32/Generic.SM!tr

W32/Mdrop.ELD!tr

W64/DistTrack.C!tr

W64/DistTrack.D!tr

Application Control signature:         

DistTrack.Botnet

Indicators of Compromise:

Malicious Components:

010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb

128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd

25a3497d69604baf4be4d80b6824c06f1b7120144f98eeb0a13d57d6f72eb8e9

394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b

448ad1bc06ea26f4709159f72ed70ca199ff2176182619afa03435d38cd53237

47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34

4f02a9fcd2deb3936ede8ff009bd08662bdb1f365c0f4a78b3757a98c2f40400

5902a246ea00defd6371126b352bc3e13432cee18fef427f2ee40a6e0ba995eb

61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842

6e9a5681ed0e2683407e4bfcd05553207fa94a301cfc341de810b71be56bb700

7709da093dd9722e80c7c552a0935876b8d17ccf9ecc4784cffb1c1bc38dd9c0

7b589d45825c096d42bdf341193d3fd8fd9a0bd612a6ebd7466c26a753304df9

8829c244fbe049e0910571a16828cad2fb68e4ba7bfcf2f21d169484a676213b

8cccb478de2c92b548f9976799f1b4da1bd8d6f1c821e7b0479b914939560310

b30b4b73be304b773e04d8b2a46d1a1d43b4b3ec6c8c847b8ddc007dcc40d6e4

c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a

cd3d50629f0ed6b0ffeddd98b8cde57a6d00ec4b7f930f12ae7c0a980a9e9a00

cebdf768721473789ebe2fe79ffec7c6de0c52433b40fd02e57747f194fe0e80

dbdea08e7b970d395236b8e0aada6fc07fb23e6181485d86f65da1e73ab2ba2e

f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72

 

EldoS RawDisk Components:

4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6

5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a

Possible names of the malware in %SYSTEMROOT%\System32 folder:   

_mvscdsc.exe

_s3wcap32.exe

briaw002.exe

briaw004.exe

briaw005.exe

briaw006.exe

briaw007.exe

briaw008.exe

briaw009.exe

briaw00a.exe

caiaw00a.exe

caiaw00b.exe

caiaw00c.exe

caiaw00d.exe

caiaw00e.exe

caiaw00f.exe

caiaw00i.exe

cniaw001.exe

dmwa_usb.exe

dmwaudio.exe

epiaw002.exe

epiaw003.exe

fpwwlwf.exe

hdvmp32.exe

hpiaw001.exe

kyiaw002.exe

lwiawf.exe

lxiaw002.exe

lxiaw003.exe

lxiaw004.exe

lxiaw005.exe

lxiaw006.exe

miWApRpl.exe

newtvsc.exe

olvsnap.exe

olvume.exe

pdwcomp.exe

pdwfs24.exe

pdwmt.exe

pdwmtp.exe

pdwmtphw.exe

saiaw002.exe

sbuvideo.exe

sdwprint.exe

sdwscdrv.exe

smvraid.exe

usinwb2.exe

xxiaw002.exe

 

by RSS Artem Semenchenko  |  Jan 30, 2017  |  Filed in: Security Research

comments powered by Disqus