Shamoon Campaigns with Disttrack

This Info Note reviews the risks with re-emerged threats using the case of Shamoon campaigns using Disttrack.

Published
January 07, 2019

Introduction

A new variant of Disttrack malware (W32.Disttrack.B) re-emerged this month targeting oil and gas companies in a campaign dubbed Shamoon. These latest attacks are particularly destructive since they involve a new wiper (Trojan.Filerase) that deletes files from infected computers, before the malware overwrites the master boot record. The recent attack targeted an Italian oil and gas drilling company operating in the Middle East, admitting that the attack affected 300 servers and 100 personal computers. The interest around this attack is the re-emergence of a well-known tool to cybersecurity defenders, this time with new capabilities and even more destructive power.

Contextual information

Disttrack is a multipurpose tool that exhibits worm-like behaviour by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, it presents that ability to destroy data and to render infected systems unusable.

History

According to various security researchers, the Disttrack wiper is one of the most dangerous strains of malware known to date, mainly due to its destructive capabilities. It was first deployed in two separate incidents that targeted the infrastructure of Saudi Arabia's largest oil producer, in 2012 and 2016. During those incidents, the malware wiped files and replaced them with propaganda images (burning US flag, the body of Alan Kurdi). The 2012 attack was particularly devastating, with Disttrack wiping data on over 30,000 computers, crippling the company's activity for weeks. A second wave of this attack happened in November 2016. It was part of a series of cyber-attacks aimed at various organizations in the Persian Gulf, including Aramco and Saudi Arabia’s General Authority of Civil Aviation (GACA). Immediately after the attack, the affected organizations were forced to shut down the company’s internal corporate network, disabling employees’ e-mail and Internet access, to stop the malware from spreading.

The Shamoon attack discovered this month targeted an Italian oil and gas company specialized in drilling services and pipeline design. The company is one of Saudi Arabia's largest oil producer main foreign contractors.

Description

On December 10, a new variant of the Disttrack malware submitted to VirusTotal shared a considerable amount of code used in previous Shamoon’s attacks.

Disttrack was originally designed to do two things: replace the data on hard drives with an image of a burning American flag and report the addresses of infected computers. Disttrack’s code includes a so-called kill switch, that is, a timer set to attack at particular date and time.

In previous attacks, security researchers5 were able to determine the impacted organization based on the domain names and credentials used by the tool to spread to other systems on the network. However, that functionality was missing from the sample used in this month attack. Unlike past Shamoon attacks, this particular Disttrack wiper would not overwrite files with an image. Instead, it would overwrite the Master Boot Record (MBR), partitions, and files on the system with randomly generated data.

Disttrack’ Components

Disttrack consists of three components. A dropper and a wiper and a communication module. Their characteristics of these components are as follows:

Dropper: The malware sample submitted to VirusTotal includes a dropper, which is responsible for installing a communications and wiper module to the system. The dropper is also responsible for spreading to other systems on the same local network. This is accomplished by attempting to log into other systems on the network remotely using previously stolen usernames and passwords. The strain used in this month’s attack does not contain any domains, usernames, or passwords to perform the spreading functionality, meaning that it relied solely on manual deployment.

The dropper presents the following characteristics:

  • Includes a hardcoded kill time. If the system date is after this date, the dropper installs the wiper module and starts wiping files on the system.
  • Reads the ‘%WINDOWS%\inf\mdmnis5tQ1.pnf’ file to obtain a custom kill date that it will use instead of the hardcoded time. The communications module installed by the dropper is also capable of writing in this file.
  • Decrypts a string ‘\inf\averbh_noav.pnf’ that is the file that the communications module uses to write the system information.
  • Includes three resources, two of which contain embedded modules, specifically: a communications module, an x64 variant and a wiper module. The x64 variant of the dropper is used if the architecture of the system is determined to be x64.
  • Presents a language set defined as ‘SUBLANG_ARABIC_YEMEN’ that was also found in previous Disttrack samples used in attacks.
  • Install itself to the system (and remote systems if spreading was possible) by creating a service.
  • Chooses a random name when installing the communication and wiper modules to the system.
  • Extracts modules from the above mentioned resources by seeking a specific offset and reading a specific number of bytes as the length of the ciphertext.
  • Decrypts the ciphertext by using an XOR cipher and a specific base64 encode string that is decoded and used as the key.

Wiper: The wiper module that the dropper installs to the system is responsible for overwriting the data. It presents the following characteristics:

  • Overwrites the data within the MBR, partitions, and files on the system.
  • Carries out the data wiping using a legitimate hard disk driver called RawDisk by ElDos.
  • Contains the ElDos and RawDisk drivers in a resource named ‘e’ that it extracts by skipping to offset 1984 and reading 27792 bytes from that offset.
  • Decrypts the data using a 247-byte key and saves it to ‘%WINDOWS%\system32\hdv_725x.sys’.
  • Creates a service named ‘hdv_725x’ for this driver running it with “sc start hdv_725x”.
  • Configures using the ‘R’ flag, which generates a buffer of random bytes that it will use to overwrite the MBR, partitions and files.
  • Supports two additional configuration flags, specifically ‘F’ and ‘E’ that will either overwrite files using a file or encrypt its contents.
  • Can be configured using a file to overwrite the files on the disk using the ‘F’ configuration flag.
  • Capable of being configured to import an RSA key to encrypt the MBR, partitions, and files via configuration flag ‘E’.
  • Reboots the system rendering it unusable as the important system locations and files have been overwritten with random data.

Communications: The communications module is responsible for reaching out to hardcoded URLs to communicate with the command and control (C2) server, but unlike previous Disttrack samples, this communication module does not contain functional C2 domains to use in the URLs. The communicator module presents the following characteristics:

  • Report on which files were overwritten creating a URL with a parameter named ‘selection’ followed by system information and the contents of the ‘averbh_noav.pnf’ file.
  • When communicating with the C2 URL, the communications module use a User Agent of ‘Mozilla/13.0 (MSIE 7.0; Windows NT 6.0)’, which is the same as past Disttrack communication module samples.

Novelties of the recent Shamoon attack: Unlike previous Shamoon attacks, the latest attack involves a new, second piece of wiping malware dubbed Trojan.Filerase. This malware deletes and overwrites files on the infected computer. The addition of the wiper makes these attacks more destructive than previous Shamoon versions.

While with computers infected by older versions of Shamoon the disk could be forensically recovered, in recent Shamoon attacks with Filerase malware, recovery becomes impossible.

Filerase is spread across the victim’s network from one primary computer using a list of remote computers. This list is in the form of a text file and is unique to each victim, meaning the attackers likely gathered this information during an earlier reconnaissance phase of the intrusion. A component called OCLC.exe first copies this list and pass it on to another tool called Spreader.exe. The Spreader component will then copy Filerase to all the computers listed. It will then simultaneously trigger the Filerase malware on all infected machines.

Furthermore, the lack of a Server Message Block (SMB) spreader and a network component, typically used by attackers to spread the malware across the network, fits with the scenario of manual deployment. This fact confirms that the attacker was present and roaming around the company's network, rather than the malware being delivered via a phishing email, and left to spread on its own. In at least one instance, Shamoon was executed using PsExec, indicating that the attackers had access to credentials for the network.

Recommendations

A list of recommended mitigation actions (not limited to):

  • Researchers suspect that the Disttrack malware could have been copied from a USB memory stick. This reaffirms the need for organizations to implement stricter security policies, concerning the use of external memories/devices in computers connected to the corporate network.
  • Another option could be the use of Remote Desktop Protocol (RDP) as the entry point in the absence of any SMB credentials for self-propagation. RDP attacks can be mitigated by:
    • using strong username and password;
    • setting remote access restrictions;
    • introducing an account lockout policy;
    • using an RDP gateway;
    • changing the RDP port regularly;
    • To maximize its destruction, the Disttrack malware attempts to spread to other systems on the network using stolen administrator credentials, which suggests that the threat actors had previous access to the network or carried successful phishing attacks before the Shamoon attack. Experts detected the Ismdoor malware on an administrator computer belonging to one of the organizations targeted with Shamoon. The introduction of “administration account credentials” protection procedures is a critical requirement in any System and Network Security Policy.
    • The fact that Disttrack malware seems to be taken out of retirement every few years means that organizations need to remain vigilant and ensure that all data is properly backed-up.

 

Shamoon attack kill-chain

 

Reconnaissance

Weaponisation

Delivery

Exploitation

Installation

Commando & Control

Actions on Objectives

Ismdoor malware

Shamoon campaign

USB Key

RDP attack

Disttrack malware

Dropper

Communication

Wiper

 

Closing remarks

According to security researchers, an apparent overlap exists on the tools, techniques and procedures (TTP) used in the multiple Shamoon campaigns. This fact reveals that whatever mitigation actions and measures implemented in the first attack were not adequately applied to prevent subsequent attacks. Furthermore, the recommendations to mitigate many of the re-emerged threats are valid regardless of the mutations introduced by the malicious actors. This is a clear case where Cyber Threat Intelligence (CTI) can come to the rescue. With actionable and contextualized CTI, an organization can have a better understanding of this type of threat, how it evolves and what is required to improve the defence mechanisms in the future.

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies