An Analysis of the Shamoon 2 Malware Attack

February 7, 2017
Vectra AI Security Research team
Cybersecurity
An Analysis of the Shamoon 2 Malware Attack

Saudi officials recently warned organizations in the kingdom to be on the alert for the Shamoon 2 malware, which cripples computers by wiping their hard disks. In 2012, Shamoon crippled Saudi Aramco and this new variant was reportedly targeted at the Saudi labor ministry as well as several engineering and manufacturing companies.

During a recent analysis, Vectra Networks came across a malicious component that appears to be used in conjunction with spear-phishing-delivered malicious documents.

These documents use PowerShell to download and execute the reconnaissance tool to start their foothold in the victim’s network. This tool, known as ISM, appears to be a full-fledged standalone tool that allows remote operators to data-mine systems prior to removing their tracks with Shamoon 2.

ISM is a relatively small binary in comparison to modern malware. It is roughly between 565 and 580 KB in size and appears to be compiled using Microsoft Visual C++ 8.0. Once executed, this tool performs several actions in order to gather as much critical information about the targeted system.

It contains a few anti-sandbox and analysis methods and will specifically look for the presence of “ISM.exe” being executed in order to successfully complete its operation.

Figure 1: Tasklist search for ISM.exe

The tool will obtain the following information on the targeted machine:

  • Installed anti-virus products
  • Installed firewall products
  • Current system date and time
  • Current system time zone
  • The domain of the local “administrator” account
  • A full netstat dump (netstat -ant)
  • A full ipconfig dump (ipconfig /all)
  • %username% environment variable
  • %userdomain% environment variable
  • A full system profile info dump (systeminfo)
  • List of currently running processes (tasklist)
  • WPAD and current proxy configurations
Figure 2: Examples of data-gathering scripts

The tool also forces system shutdowns by task-killing the Windows initialization process, winit.exe when system shutdowns are not successful. It can create scheduled tasks and use them to disrupt application and system update checks.

In addition, the tool has the ability to execute additional remote access tool (RAT) and backdoor tools. The following tools are specifically labeled in the code:

  • Powershell UACME tool in order to bypass UAC and escalate privileges by dropping various DLL files using the Wusa.exe Windows binary. This tool specifically targets the OOBE method for exploitation.
  • PowerShell Empire Invoke-bypassuac method, which abuses a trusted published certificate during process injection to elevate privileges and bypass UAC.
  • Mimikatz – A popular tool for obtaining stored Windows credentials on the machine.
  • Powercat – A Powershell TCP Port 4444-based backdoor compatible with ncat and netcat.
  • ExecuteKL – A generic keylogger can be executed on the system and its results are stored in a temporary file.
Figure 3: References to additional RAT resources

The tool also makes an outbound DNS and HTTP requests to the server update.winappupdater.com. Upon inspection, this server at one point had several suspicious PHP and URI requests to pages that would indicate C&C functionality.

The tool uses a unique user agent string of Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko in order to conduct HTTP C&C requests:

Figure 4: User agent string identifier

Example parameters during C&C would be similar to the following:

commandid=62168133-0418-411c-a6f9-27b812b76759

commandId=CmdResult=85bd26b3-c977-47d8-a32b-f7bae6f8134d

These HTTP requests are made to URIs containing Home/BM, Home/CC, Home/SCV, Home/CC or Home/CR. A few other resources, such as Home/SF and Home/gf, were also noted and might be used for testing or previous campaigns.

Figure 5: C&C communication URI locations

In addition, it appears the server is also hosting an outdated Microsoft-certified Intel wireless LAN driver (NB500_Win7_intel_wireless_LAN_Driver_13.3.0.24.1.s32). This tool is likely being used in malicious manners to either manipulate existing network drivers or to use a vulnerability in the driver itself for privilege elevation vulnerabilities on the targeted systems.

Once this binary has executed on a system and the attackers are satisfied with the gathered data, the tool has the ability to remove all traces of its temporary files from the system.

This stolen data is then directly used in the Shamoon 2 builder application in order to maximize data wipe effectiveness. Since credentials and network locations are stolen in this phase, the operators merely have to deliver the Shamoon 2 malware to the system via the ISM backdoor whenever they are finished performing their primary mission.

Upon initialization, the Shamoon 2 binary will scan the current /24 network to which the local machine is connected. This network sweep will scan for machines using the stolen credentials gathered by the ISM malware via TCP ports 135, 139, and 445.

The authors will check for valid passwords against systems via abusing remote registry calls against the targeted systems. Once a successful remote registry session is detected, the malware will use RPC and psexec to remote-copy the files to these machines and then silently execute each of these binaries.

Current copies of Shamoon 2 binaries will delete the system on the following Tuesday after execution at 0230 system time. We believe that the payload detonation date and time might also be customized based on the current campaign.

What you should do

Upon detection of any of Shamoon 2 activity, it is strongly advised that all affected systems be physically powered-off immediately. Administrators should then boot the affected devices from a secure USB device and mount the file system for read access.

Mission-critical files should then be removed from the system and the system should be re-imaged with different credentials. Administrators should note that if that if the Shamoon 2 binary or its network activity is detected, domain credentials and likely other sensitive information has been already stolen and exfiltrated from the affected network.

The resulting payload of Shamoon 2, which wipes the MBR and replaces it with an image, is likely used to cover the tracks of the attackers and their true motives.

The data science behind Vectra threat detections

Get this white paper to learn how Vectra AI-based threat detection models blend human expertise with a broad set of data science and sophisticated machine learning techniques to identify threats like Shamoon 2.