Shamoon used macro-enabled documents and PowerShell scripts to infect targeted systems, researchers said.
The second wave of attacks, called Shamoon 2, was just seen in attacks aimed at Saudi Arabia and other states in the Persian Gulf.
The malware has several variants, including one capable of targeting virtual desktop infrastructure (VDI) products.
An analysis conducted Symantec showed the attackers behind Shamoon, which ISSSource reported are in Iran, may have been aided by a threat actor dubbed Greenbug. Symantec linked the Greenbug and Shamoon groups after discovering malware from both groups on the same system.
IBM’s X-Force Incident Response and Intelligence Services (IRIS) researchers analyzed the recent waves of Shamoon attacks and determined the initial breach likely took place weeks before the malware ended up deployed and activated.
Shamoon, also called Disttrack, had been programmed to step into action at a specified time and date, typically when the targeted organization’s employees were less likely to notice it.
X-Force researchers said the attackers used weaponized Office documents as an entry point.
The documents, they said, contained a malicious macro which, when executed, initiated command and control (C&C) communications and deployed a remote shell via PowerShell.
The malicious files ended up sent to targeted users via spear phishing emails. Some of the documents found by IBM referenced an Egypt-based software professional services organization named IT Worx, and Saudi Arabia’s Ministry of Commerce and Investment (MCI).
Once the victim opens the document and the macro ends up executed, PowerShell provides a communications channel to the compromised device, allowing attackers to remotely execute commands on it.
The attacker can use this access to deploy other tools and malware, and gain further access into the victim’s network. Once they can identify critical servers, the attackers can deploy Shamoon, which erases hard drives and causes systems to become inoperable.
The macro found in the documents executed two PowerShell scripts.