Shamoon wiper malware returns after four year hiatus

News by Max Metzger

Shamoon wiper malware has been spotted for the first time in four years, according to Palo Alto and Symantec

Shamoon malware has returned after a nearly four year vacation. Reports from both Symantec and Palo Alto detailed the wiper malware's unceremonious return to the scene.

The malware, also known as Disttrack, was first seen four years ago attacking Saudi Oil Company Aramco and intending to wipe tens of thousands of computers.

This time, the Shamoon wielding attacker targeted another Saudi company, unnamed by Palo Alto or Symantec, and attempted not just to wipe that company's computers but to overwrite their Master Boot Records with the iconic image of Aylan Kurdi's corpse. The attack was carried out on 17 November, a Muslim holiday, presumably to catch security teams when they were least alert.

The malware came with a list of hardcoded logins, allowing Shamoon to do its dirty work quicker but also meaning that company had been breached before. Palo Alto's report says that the perpetrators of this attack could be the same that used Shamoon four years ago: “The current attack campaign has several TTP overlaps with the original Shamoon campaign, especially from a targeting and timing perspective.”

It adds, “Disttrack malware used in the recent attacks is very similar to the variant used in the 2012 attacks, which uses the exact same RawDisk device driver as well.”

Last year, security company Damballa issued a report on wiper malware. At the time, senior threat researcher Willis McDonald told that the aims of using wiper malware like Shamoon are pretty simple.  

Unlike other malware “which focuses on gathering information that can be used for financial gain”, wiper malware has “only one purpose, to cause destruction and disruption within a victim's organisation.  This type of attack like other political and activist attacks is meant as an amplifier to cause chaos not only within the victim organisation but also within associated organisations within the same industry or who share views similar to the victim.”

This is completely unlike financially motivated malware which focuses on gathering information that can be used for financial gain such as ransomware which does render data unusable but only for the purpose of obtaining ransom to restore data.

Brian Chappell, director of technical services EMEAI and APAC at BeyondTrust told SC that given the targeted nature of both attacks, there are two possible reasons behind Shamoon's use. It could be hacktivism, given the the potential for disruption that wiper malware provides.

It could also be used “to destroy evidence of activity, covering the tracks of a data exfiltration but even then, it's a blunt instrument. It could only be guaranteed to impact the first system it was deployed on and is a clear signal that an intrusion has occurred, I would expect most capable hackers to quietly cover their tracks to enable them to revisit for further data theft.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews