Research: Furtive Malware Rises Again

The specialists found an old Shamoon malware activity (also known as Disttrack). This Malvar first found in 2012, when the malware attacked the Saudi oil company Aramco. Shamoon experts studied many companies. Then the malware has been configured to erase data from 30,000 computers and mashing the MBR (Master Boot Record). In addition, at the end of the work Malvar showed an image of a burning American flag.


Four years later, the researchers warn that Shamoon returned. The malware was once again focused on at least one unnamed company in Saudi Arabia, and contained in the settings hard-coded credentials from the computers of its employees to the threat could spread rapidly and cause as much damage as possible. As in 2012, Malvar overwrites information on the disk and overwrites the MBR.

All Shamoon attacks were obviously very carefully planned in advance, as the attackers had access to legal credentials before launching an attack.

Can be confirmed that the current modification DistTrack almost identical samples used back in 2012. This is a multi-component malicious programs with the ability to propagate itself through a local area network. The evil function of its components are listed in the article by Douglas Jose Pereira dos Santos, Artem Semenchenko.

Based on their analysis, they have determined that Fortinet Security fabric would be easy to detect initial infection Shamoon, and could also use the information from the most infections, to restore to the previous network, the safe state. In addition, since the malware started spreading across the infrastructure and device drivers change every machine, FortiSIEM, widespread point of view of the entire infrastructure, including the target endpoints, it would have determined that the network showed a very unusual activity and will be adjudged on consideration.

 

More.