Shamoon 2 uncovered in Saudi Arabia
Shamoon 2 uncovered in Saudi Arabia

Researchers at Palo Alto said they have discovered more about how the Shamoon 2 attacks on systems in the Middle East managed to propagate through networks and infect computers with the Disttrack payload in previous campaigns.

They said that they have identified the use of a combination of legitimate tools and batch scripts to implement the Disttrack payload on host names that the attackers knew existed on the target network of an organisation in Saudi Arabia.

Analysis showed that hackers most likely gathered a list of known host names directly from Active Directory or compiled them from a compromised host during their reconnaissance activities on the network.

This reconnaissance was carried out together with the theft of access data required to encode the Disttrack payload with legitimate user names and password credentials.

This led researchers to assume that it was very likely that the attackers had already access to the targeted networks before the actual Shamoon 2 attacks. The research findings also confirm that a successful theft of access data was an integral part of the attacks.

To distribute Disttrack within a target network, the attacker must first compromise a system which he can then use as the Disttrack distribution server in that network. The hacker then uses this server to compromise other systems on the network by using the hostname to copy and run the Disttrack malware. 

“On each of these named systems that are successfully compromised, the Disttrack malware will attempt to propagate itself to 256 additional IP addresses on the local network. This rudimentary, but effective, distribution system can enable Disttrack to propagate to additional systems from a single, initially compromised system in a semi-automated fashion,” the researchers said in a blog post.

They also said there was a possible connection between Shamoon 2 and the Magic Hound campaign. It was noted that one of the command and control (C&C) servers used by Magic Hound and a server hosting the Shamoon files used IP addresses from the same range, namely 45.76.128.x. Both attacks also leveraged PowerShell and Meterpreter and directed attacks at entities within Saudi Arabia.

“If the Magic Hound attacks are indeed related to the Shamoon attack cycle, we may be able to hypothesize that the Magic Hound attacks were used as a beachhead to perform reconnaissance for the adversaries and gather network information and credentials,” the researchers said. “This may be further supported by the initial Magic Hound payloads we discovered, Pupy RAT and Meterpreter, both of which have these types of capabilities.”

The researchers concluded that hackers behind Shamoon 2 carried out the Magic Hound campaign as reconnaissance prior to their attacks.

Paul Calatayud, chief technology officer at FireMon, told SC Media UK that the connections between Shamoon and Magic Hound can help in understanding the motivations and potential risks that these attackers may pose. “When looking at the first attack campaign, you begin to see a pattern of who was targeted and what type of data was targeted,” he said.

He added that nation-state or attackers hired by competing organisations may be the most likely people “because in both attacks, the attackers are focusing on intelligence and intellectual data within Saudi Arabia. This is a focused targeted attack.”

To mitigate attacks, Calatayud said that PowerShell should be disabled on computers. “If this is not possible, limit PowerShell by applying certificates to force only a few machines in the network the ability to Execute remote PowerShell.”

Jonathan Zulberg, technical director EMEA at TrapX, told SC that the connection between the malware is important, because it describes a classic advanced persistent threat (APT) scenario, executed over a long period of time, and iteratively using information from the previous stages of the attack to further the campaign to its close.

“This suggests highly organised, patient and persistent adversaries.  Given that Disttrack is primarily concerned with inflicting maximum damage, having destroyed over 30,000 systems in 2012, and more recent versions replacing critical system files with politically-charged imagery, it strongly suggests a hacktivist or nation-state origin, rather than organisations pursuing financial gain,” says Zulberg.

“However, without forensic confirmation that Magic Hound and Disttrack have both been found on targeted networks, it remains a matter of speculation as to whether they are of the same origin.  The apparent links could just suggest a single developer, on the payroll of multiple customers,” he added.