A new variant of Shamoon, the malware that wiped hard drives at Saudi Aramco and other energy companies in 2012, has struck at least one Saudi company in a new campaign that researchers call a “carefully planned operation.” The new variant, which is almost identical to the version used in the 2012 attacks, has replaced the message it previously displayed—which included an image of a burning American flag—with the photo of the body of Alan Kurdi, the 3-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece.
New versions of Shamoon, also known as Disttrack, have been detected by multiple information security companies, including McAfee, Symantec, Palo Alto Networks, and FireEye. It isn’t yet clear how the malware’s “dropper” has gotten into the networks it has attacked. But once on a victim’s Windows system, it determines whether to install a 32-bit or 64-bit version of the malware. According to a report from Symantec, the latest Shamoon attack was configured to automatically start wiping the disk drives of computers it had infected at 8:45am local time on November 17.
The wiper malware itself uses RawDisk, a commercial software driver from EldoS that gives direct access to the disk drives of the infected system to write data—or in this case, overwrite data. The same driver was used in the “wiper” attacks against Sony Pictures in 2014. Before beginning the wipe, the malware sets the system clock of the infected computer back to a random date in August of 2012, according to a report from FireEye—likely to bypass code in the EldoS driver from checking for a valid license. “Analysis suggests this might be for the purposes of ensuring the [EldoS driver] that wipes the Master Boot Record (MBR) and Volume Boot Record (VBR) is within its test license validity period,” the FireEye research team wrote.
Powered by WPeMatico