IBM security researchers see the whole of Shamoon

News by Rene Millman

Researchers find "missing link" in malware attack on Gulf states - explain how initial compromise escalates to wiping computer hard drives across an organisation.

Security researchers from IBM's X-Force Incident Response and Intelligence Services (IRIS) team have discovered what it calls a “missing link” in the operations of a threat actor involved in recent Shamoon malware attacks against Gulf state organisations. 

Shamoon struck government organisations and private companies in between November 2016 and January this year, wiping out computers completely. The attacks took place mainly in Saudi Arabia but other nearby countries were also affected.

According to a blog post, researchers claimed to have found the initial compromise vector and post-compromise operations that led to the deployment of the destructive Shamoon malware on targeted infrastructures. The researchers said that the initial compromise took place “weeks before the actual Shamoon deployment and activation were launched”.

This initial compromise was a document containing a malicious macro that, when approved to execute, enabled C2 communications to the attacker's server and remote shell via PowerShell.

And this was not the only one discovered by the researchers investigating this recent attack. Also tracked were similar malicious, PowerShell-laden documents themed as resumes and human resources documents, some of which related to organisations in Saudi Arabia.

The researchers said that hackers send a spear-phishing email to employees at the target organisation. The email contains a Microsoft Office document as an attachment. Opening the attachment invokes a PowerShell and enables command line access to the compromised machine, allowing hackers to communicate with the compromised machine and remotely execute commands on it.

With this access, the attackers use their access to deploy additional tools and malware to other endpoints or escalate privileges in the network. The hackers can then study the network by connecting to additional systems and locating critical servers.

After this, Shamoon is deployed and a coordinated outbreak begins, wiping computer hard drives across an organisation.

Analysis of one of the hacker's documents found that if the macro executes, it launches two separate PowerShell Scripts. The first one executes a PowerShell script served from hxxp:// The host is possibly related to attacks that served the Pupy RAT, a publicly available cross-platform remote access tool.

A second script calls VirtualAlloc to create a buffer, uses memset to load Metasploit-related shellcode into that buffer and executes it through CreateThread. If this execution is successful, it creates a buffer using VirtualAlloc and calls InternetReadFile in a loop until all the file contents are retrieved from hxxp:// This is then returned as a string to PowerShell, which calls invoke-expression (iex) on it, indicating that the expected payload is PowerShell, the researchers said.

“Based on observations associated with the malicious document, we observed subsequent shell sessions probably associated with Metasploit's Meterpreter that enabled deployment of additional tools and malware preceding deployment of three Shamoon-related files: ntertmgr32.exe, ntertmgr64.exe and vdsk911.sys,” said the researchers.

As well as malicious documents identified, the researchers also found a couple of domains used to host malware used in the Shamoon attacks. One domain impersonates associated with the Saudi petrochemical support company Namer Trading Group. The other spoofs a domain associated with the Saudi Industrial Property Authority.

“X-Force IRIS discovered that the threat actor was hosting at least one malicious executable on a server hosted on ntg-sa[.]com. This file duped targets into believing it was a Flash player installer that would drop a Windows batch to invoke PowerShell into the same C2 communications,” said the researchers.

Pieter Arntz, malware intelligence analyst at Malwarebytes, told SC Media UK that mitigating the malware infection is only possible in early stages.

“Once the foothold has been realised, disconnecting patient zero from the network as quickly as possible might prevent the massive Shamoon outbreak across the entire network,” he said.

Javvad Malik, security advocate at AlienVault, told SC Media UK that even if an attachment is inadvertently opened by a user, it doesn't necessarily spell disaster.

“Having effective monitoring and threat detection controls can quickly identify when malware has entered a system and when it is trying to communicate with external C&C servers. Threat intelligence can be immensely useful at this point to help tune detection controls to look out for the latest malware variants,” he said.

“UK companies can very well be vulnerable to this style of attack. The same prevention and detection techniques can be utilised to help prevent or minimise the impact. Other than that, having offsite backups will always be recommended in order to recover any information that may be deleted.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews