Just the thought of the destructive path of the Shamoon malware from a few years ago should send chills down the spine of security professionals.
Now there was a new variant of the malware this week uploaded to VirusTotal.
This new version also ended up discovered on the network of Italian oil and gas contractor Saipem, where it destroyed files on about ten percent of the company’s PC fleet.
The vast majority of the affected systems were located in the Middle East, where Saipem does a vast majority of its business, but infections were also reported in India, Italy, and Scotland.
The malware was initially observed in attacks against Saudi Aramco and other companies in 2012, when it destroyed data on over 30,000 systems.
An updated version of the threat emerged in 2016, when it hit various organizations in the Persian Gulf, including Saudi Arabia’s General Authority of Civil Aviation (GACA). One variant of Shamoon 2 was also observed targeting virtualization products.
Unlike other malware used in targeted attacks, which focuses on stealing information, Shamoon erases data on infected computers and attempts to destroy the hard disk and render systems unusable. The data-wiping functionality, however, is triggered upon a hard-coded date.
“The new variant of Shamoon doesn’t look good for organizations,” said Justin Jett, director of audit and compliance for Plixer. “The 2012 variant was used to wipe more than 30,000 systems at Saudi Aramco, and this version seems to do more harm before irrevocably encrypting files. Because Shamoon leverages Windows Server Message Block (SMB), organizations should use network traffic analytics to determine when and where this malware may be on the network. This will also provide forensic insight to determine if the malware has spread and ultimately to be able to quarantine infected devices. Specifically, if SMB isn’t widely used on the network, IT professionals should be suspicious of any connections made via SMB. As with all malware, organizations should be sure to routinely back up their systems to recover their files should they become infected.”
Mounir Hahad, head of the Juniper Threat Labs, talked about the malware discovered on the network of Italian oil and gas contractor Saipem.
“This version of the Shamoon destroyer packs the same punch as previous attacks, but was made more difficult to study as no indication of the intended victim is present in the malware itself, unlike previous versions,” Hahad said. “This variation will render any system it infects unusable by overwriting a key hard drive section called the Master Boot Record with random data. Unlike the previous variant, this one does not attempt to spread, which leads us to believe that the attack vector and the method of infecting more systems is yet to be discovered. The good news from a victim’s perspective is that some data can still be restored and the systems can definitely be brought back to life by using backups. Several anti-malware technologies, including Juniper’s JATP Appliance and Sky ATP next-gen firewall security services, are able to detect and block this threat.”