FortiGuard is currently investigating a new wave of attacks targeting Kingdom of Saudi Arabia organizations that use an updated version of the Shamoon malware (also known as DistTrack.) We described this malware in detail a few months ago in a previous article.
The key features of that version remain the same, yet some voluntary changes are taking place:
- Images used. Shamoon still overwrites files with an image of the drowned Syrian toddler Alan Kurdi, but this time the picture size is different. In November 2016 it was using a picture of 349x286 pixels. Now a larger image of 700x577 pixels is used. The headers of the images look different as well:
Pic 1: The header of image file used in November 2016
Pic 2: The header of image file used in January 2017.
Note: “Ducky” pattern is a legitimate string in Photoshop files.
- Different compilation times. In November, attack samples contained a bogus compilation date of 2009-02-15. This time, two different dates are used. All new samples contain erroneous compilation dates of either 2011-06-06 or 2011-09-15.
Pic 3: Bogus compilation timestamp used in January 2017.
The reasons why the criminals started to use different images and compilation times are currently unknown. One possible explanation is that there are several groups behind these attacks. A second possible scenario is that criminals want their samples to evade detection by popular antivirus applications.
3. Credentials. Shamoon tries to propagate itself with the use of static credentials hardcoded into the body of its code. In recent analyzed samples, we discovered several new default credentials from Huawei’s FusionCube virtualization products. Shamoon can now also target both physical and virtual machines.
Pic 4: Part of hardcoded credentials used.
The biggest current mystery is how the developers initially obtained valid credentials that have been used in Shamoon attacks. FortiGuard will continue to investigate these attacks and provide updates as new information develops.
-= FortiGuard Lion Team =-
Fortinet protections to date:
Currently all found samples of DistTrack are detected by these AV signatures:
Application Control signature:
Indicators of Compromise:
EldoS RawDisk Components:
Possible names of the malware in %SYSTEMROOT%\System32 folder: