The Shamoon malware, also known as Disttrack, surfaced for the first time back in 2012 targeting Middle East Oil companies. It leveraged stolen credentials to gain access, and then exhibited worm-like behavior to spread throughout the entire targeted network. All Shamoon attacks were clearly very carefully planned beforehand, as the attackers had to gain access to legitimate credentials before launching the attack.
While most modern malware are focused on monetizing through any way possible, from bitcoin mining to the current trend of high-profile ransomware, Shamoon was not keen about the dough. Instead, this is believed to be a hacktivist attack.
Allegedly, the author of this malware is the hacker group called “Cutting Sword of Justice,” who claimed responsibility for the attack that rendered 30,000 computers unusable.
This attack was designed to break in, infect machines, and then clean its tracks. It also stole information from certain files and sent it back to its command and control center, probably so the author could verify that his attack was successful.
Once a device was infected, Shamoon proceeded to gain write privileges to the master boot record and then overwriting the content of critical files with JPEG images data, making the machine completely unusable. The original JPEG file used was a picture of a burning USA flag.
Soon after its debut, and the high-profile destruction of tens of thousands of computers, Shamoon went dormant. But now, four years later, a new attack was pictulaunched using an upgraded version of the malware. And guess who the target was?
You bet. Middle Eastern companies again, Saudi Arabia again. And this attack was just as well planned as the previous attack. It took place on Thursday, November 17, 2016, at 20:45, the end of the work week in Saudi Arabia. Theoretically, the date was selected so the malware would have time to spread over the weekend with less possibility that someone would spot its activity. This is just one of the many features shared between this and the previous attack four years ago.
X-Ray of the Malware
We can confirm that current modifications of the DistTrack are almost identical to the samples used back in the 2012. This is a multi-component malware with ability to propagate itself via local network. The malicious functions of its components are listed below.
- We have found x32 and x64 modifications of the Dropper. All of these samples include a compilation timestamp of 2009-02-15, with a variety of times all around 12:32 PM. These times are obviously bogus, since every version of Droppers we have investigated include an embedded, encrypted image of Alan Kurdi, who died on 2015-09-02.
- Variant Modifications: The version of this malware that was uploaded on Virus Total on 2016-12-02 has a bogus Microsoft signature in the file overlay. This signature was ripped from one of the Sysinternals tools, and the checksum of the file did not match.
Picture 1: Bogus Microsoft signature in the end of Disttrack dropper
- This Dropper contains other malicious components, which are masked as bitmap resources PKCS12, PKCS7, and X509. These components are also encrypted with a simple XOR algorithm.
Picture 2: Embedded resources of the Disttrack dropper
- After starting, the dropper creates a service with the following parameters:
Service name: “NtsSrv”
Display name: “Microsoft Network Realtime Inspection Service”
Description: “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols”
Path to executable: “Dropper_name.exe LocalService”
For additional persistence in the system dropper is also makes a service “Workstation” dependable from the new malicious service.
- After that, Dropper starts the newly created service and ends its own process. From that point on it works as a service. It also checks for the parameter “LocalService” to ensure that it is running as service.
- Next, Dropper starts to unpack other components. First, it unpacks a RawDisk license key and drops it as “%SYSTEMROOT% \Temp\key8854321.pub.” This license key is required for Shamoon’s Wiper functionality to use the RawDisk commercial disk driver to access the system hard drive. More details are provided in the Wiper details section, below.
- Dropper then checks the system time, and if it is more than a certain value it will drop and execute its “Wiper” component. The functional of the Wiper is discussed in more detail below. The name for the Wiper component is pseudo-randomly chosen from the following list of the names:
- Dropper then drops and launches its communication component. This component always has a static name:
The Dropper starts it with the parameter of “1”.
Picture 4: request to the nonexistent domain “server”
This is another confirmation that this malware was created with purely destructive purposes.
- Propagation: The Dropper tries to connect to the IP addresses from the current subnet /24. It then tries to open common system files from the system32 folder. If successful, the dropper will try to copy itself to the remote system and then run remote service or schedule a remote job. The name of the malware is chosen from the same name list shown in point 7, above. It then installs Dropper as a service similar to the machine of the initial infection
To connect to other computers in the network, Dropper uses hardcoded credentials from its body:
Picture 5: part of the credentials used for network propagation
Note: How the criminals obtain these credentials is currently unknown.
- The Wiper component unpacks a special driver from its body that it uses to gain direct access to the system hard disk. It uses the RawDisk Driver from EldoS Corporation.
Note: This is a legitimate driver from a commercial software company, and is not malicious by itself. More information on this driver can be found here.
- The RawDisk Driver requires a license for use. The Wiper component uses the file “%SYSTEMROOT%\Temp\key8854321.pub”, which was saved by the Dropper before. Wiper also changes system date to a random date between the period of 2012-08-01 and 2012-08-20 to match the license validity time.
- The Wiper then tries to rewrite the hard disk’s partition tables, making a boot of the system impossible. In our lab analysis, the attack was successful on x86 systems but not successful on x64 systems.
Picture 6: successful overwriting partition table by Disttrack on Windows XP x86.
4. Besides overwriting the partitions table, Wiper also tries to overwrite files with a 19KB JPEG image of the drowned Syrian refugee child, Alan Kurdi:
Picture 7 and 8 : new content of overwritten files (obscured), actual overwitten photo
Fortinet protections to date
Based on our analysis, we have determined that the Fortinet Security Fabric would have easily spotted the initial Shamoon infection, and could have also used the information from the infection itself to restore the network to its previous, safe state. In addition, from the moment the malware started spreading through the infrastructure and changing every machine’s device driver, FortiSIEM, with its pervasive view of the entire infrastructure, including the targeted endpoints, would have identified that the network was exhibiting very unusual activity and would have flagged it for review.
Currently all found samples of DistTrack are detected by these records:
Indicators of Compromise:
EldoS RawDisk Components:
Malicious service attributes:
Description = "Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols"
Display name = “Microsoft Network Realtime Inspection Service”
Possible names of the malware in %SYSTEMROOT%\System32 folder: