Shamoon Returns: Saudi Oil Hunt

Remember how in 2012 we dissected an interesting Shamoon malware operating in the Middle East? If you don’t remember, let me briefly remind you: it was a network worm that destroys the contents of the hard drives of infected machines. The code is full of errors and, to put it mildly, non-optimal solutions, however, Shamoon recorded at his own expense more than 30 thousand cars owned by oil companies Saudi Aramco and RasGas, and then lay down on the bottom. So, he returned, and not one.

From November 2016 to January 2017, we observed three waves of attacks of the new version of the worm - Shamoon 2.0. Habitat is the same: companies that are critical for the economy of Saudi Arabia. The handwriting of the very same guys that blinded Shamoon four years ago is well recognizable, but they have mastered a couple of new tricks. However, the attack scheme remained just as unpretentious:

- Hackers extract their credentials from the administrator of the target network. How exactly - we do not know, but we hope that with the help of classical social engineering, and not by means of more traditional physical measures for the region.
- With the help of the extracted credentials, one of the servers of the local network is taken under control and subsequently used to control the worm (not always).
- In Shamoon 2.0, the administrator credentials, the compromised server’s internal IP, and the date the data destruction procedure was activated are hardcoded.
- The malware spreads across the attacked network as widely as possible. Infected all cars that have access to the extracted credentials.
- On day D, hour H and minute M comes P, that is, Shamoon 2.0 destroys the contents of hard drives in much the same way as its predecessor Shamoon did. Previously, the files were filled with pieces of a JPG file with a burning American flag, now they use random trash or a photo of a drowned Syrian refugee boy. Then the MBR is killed and the main partition of the first disk is overwritten.

As in the old Shamoon, in this version of the worm there is the possibility of receiving commands from the local server, although no external commands are required to trigger at a predetermined time. Moreover, the sample caught by us in January of this year is completely deprived of the functions of communication with the server.
')
In short, all this is very reminiscent of Shamoon. Nevertheless, the authors of the attack did not sit with folded arms for four years and now they are able to do something:

- Shamoon 2.0 learned to work under 64-bit versions of Windows. During infection, it determines the system capacity (by the crooked method — comparing the value of the PROCESSOR_ARCHITECTURE variable with “AMD64” and “amd64” instead of just using the IsWow64Process function) and installs the corresponding module.

- In Shamoon 2.0 appeared the early welded module! True, he is still inactive. The former Shamoon was interesting by the lack of a commercial component, which in our time is a rare case and gives out the custom character of the attack. Now, apparently, the hacker group is preparing to transfer to cost accounting, without compensation for food. In general, the guys revolve as they can.
- In Shamoon 2.0, there are indications that the authors use Arabic and Yemeni system localization. However, in itself, this does not allow direct accusation of Yemenis, given how easily such “proofs” are faked.

If you want shocking technical details and code examples, read the research report, it is published here .

Signs of the Simonov Tribe

Few expected the return of the good old Shamoon, but when we began to mark one attack after another, each time with new modifications of the malware, it became clear that the group behind it was back in business and we should expect further surprises. Given the obfuscation and encryption of the code, it is necessary to catch potential new modifications on indirect grounds, and with due skill this approach works very well.

This is done through the rules for YARA, which describe the indicators inherent in a certain family of malicious programs. We knew about Shamoon that it uses additional modules that are stored in encrypted form. The first Shamoon 2.0 samples captured used resources named PKCS7, PKCS12 and X509. But the authors quickly corrected, and in the next versions the files received standard names: ICO, LANG and MENU.

Nevertheless, the creators of the malware did not change some habits. So, in Shamoon and Shamoon 2 there was a resource, named as "101". The file itself is different each time, but the name is the same! Our analysts twirled it like this and that and finally came up with how to identify it:

- The file entropy level is above 7.8, which means that the data in it is encrypted or archived.
- Size about 30 Kb. We set the lower threshold of 20 KB.
- The language of the file is not set, despite the fact that all other resources had the language Arabic (Yemen) or English United States.
- There is no unencrypted PE file inside.

Having tested these simple rules, analysts decided to add a few more criteria in order to reduce the level of possible false positives:

- The file is not digitally signed.
- The volume of all known Shamoon samples with the resource “101” did not exceed 370 Kb, so we set a limit of 700 Kb.
- The number of resources within the sample should not be too large - no more than 15.

The result was the following rule for YARA:

import "pe" import "math" rule susp_file_enumerator_with_encrypted_resource_101 { meta: copyright = "Kaspersky Lab" description = "Generic detection for samples that enumerate files with encrypted resource called 101" hash = "2cd0a5f1e9bcce6807e57ec8477d222a" hash = "c843046e54b755ec63ccb09d0a689674" version = "1.4" strings: $mz = "This program cannot be run in DOS mode." $a1 = "FindFirstFile" ascii wide nocase $a2 = "FindNextFile" ascii wide nocase $a3 = "FindResource" ascii wide nocase $a4 = "LoadResource" ascii wide nocase condition: uint16(0) == 0x5A4D and all of them and filesize < 700000 and pe.number_of_sections > 4 and pe.number_of_signatures == 0 and pe.number_of_resources > 1 and pe.number_of_resources < 15 and for any i in (0..pe.number_of_resources - 1): ( (math.entropy(pe.resources[i].offset, pe.resources[i].length) > 7.8) and pe.resources[i].id == 101 and pe.resources[i].length > 20000 and pe.resources[i].language == 0 and not ($mz in (pe.resources[i].offset..pe.resources[i].offset + pe.resources[i].length)) ) } 

Why did I bring this rule here? First, it is beautiful. Well, to promote this wonderful tool for catching various suspicious software. Such a piece of code allows you to successfully detect various modifications of Shamoon 2.0 with a slight level of false positives.

And with the help of this very piece of simple code we found another, hitherto unknown, malware, which was dubbed StoneDrill.

His friend StoneDrill

As in the case of Shamoon, the creators of StoneDrill are actively interested in Saudi organizations. In addition, a number of stylistic parallels can be traced between these two malicious programs. We will talk more about the internal structure of StoneDrill at the next Kaspersky Lab antivirus analyst summit , which will be held from 2 to 6 April on St. Martin.

Although there are some similarities between StoneDrill and Shamoon, they are very different from each other. StoneDrill's goal is also to destroy information, but it does not use a driver for direct disk access. His data trowel module is embedded in the browser installed on the victim’s machine. Moreover, if the browser is launched with rights that do not allow to wipe the disk directly, only the available files will be deleted.

The authors of this malware have made serious efforts to complicate its detection and analysis - for example, it does not run in a virtual environment. In addition, StoneDrill is made not by Yemenis, but by Iranians, according to the traces left in the code. But to believe them is not necessary, such things are fake very easily. Authors should have understood that their code will be thoroughly investigated.

Another point - we believe that there is a connection between StoneDrill and the NewsBeef attack, which is also directed mainly against targets located in Saudi Arabia. For StoneDrill, we have developed rules for decrypted modules - since the targeted attack tools are usually modified to match the target, these rules help us discover new variants of the malware used in the attack. So, these rules also “catch” the samples that were used in NewsBeef.

If you give free rein to your imagination and imagine that the same people are behind all this harmful zoo, NewsBeef and StoneDrill look like tools for long-term work against the Saudi economy, and Shamoon is “heavy artillery” used for the most important goals. However, according to our working version, StoneDrill and Shamoon are used by different groups pursuing similar interests.