Whenever there is a new report about a targeted attack, the first thing you might think is what is the intention.
Why would someone invest time to prepare a campaign, send a spear-phishing email with a malicious document attached and waste a 0-day vulnerability in order to silently install a sophisticated malware
Seculert received information about a new attack targeting several specific companies in a few industries. The attack is called “Shamoon”, due to a string of a folder name within the malware executable
The interesting part of this malware is that instead of staying under the radar and collect information, the malware was designed to overwrite and wipe the files and the Master-Boot Record of the computer. Why would someone wipe files in a targeted attack and make the machine unusable?
While it’s rare to find this type of malware in targeted attacks, our friends at Kaspersky Lab suggest that this is the same behavior of the wipe malware found attacking machines in Iran, that were infected with another unknown malware. This then lead Kaspersky to the discovery of Flame.
Furthermore, Shamoon is collecting the names of the files it has overwritten and sending this information to another internal machine within the compromised company network.
What is Shamoon?
Shamoon, also known as Disttrack, nabs data from PC folders like “Documents and Settings” and “System32/Config,” stealing information as any malware virus would do.
However, what’s different about Shamoon is that it’s able to overwrite the master boot record (MBR) of the machines it infiltrates, crippling them completely.
In the case of the Saudi oil company, stolen data was replaced with JPEG images, preventing any future file recovery.
Analysts think Shamoon is a copycat virus, taking cues from the “Wiper” virus that swept through Iran in April, though believe there is no connection between the two.
Symantec broke down the virus’ components into three main parts:
Through each step, Shamoon gathers, destroys and retrieves information for the attacker.
One analyst explained the virus’ wiping component as an attempt by the attackers to cover their tracks.
Some think the virus’ name may be taken from the Shamoon College of Engineering in Israel.
Another theory has it named after one of the virus’ authors – Shamoon means “Simon” in Arabic.