After a two-year absence, destructive malware Shamoon (W32, Distortack B) re-emerged the December 10 in a new wave of attacks on targets in the Middle East. These latest Shamoon attacks have been doubly destructive since they involved a new "wiper" (Trojan. Filerase) which is responsible for deleting files from infected computers before malware Shamoon change the Master Boot Record.
News of the attacks first surfaced on December 10 when several oil and gas companies said they had been hit by a cyber attack on their infrastructure in the Middle East.
Unlike previous attacks Shamoon, these latest attacks involve a new, second piece wiping malware (Trojan. Filerase). This malware, as mentioned, deletes and overwrites the files on the infected computer. Meanwhile, Shamoon delete the master boot record of the computer, making it unusable.
The addition of the wiper Filerase makes these attacks more destructive than using malware alone Shamoon. While a computer infected by Shamoon it may be unusable, files on your hard drive may be recoverable. However, if the files are first deleted by the malware Filerase, recovery becomes impossible.
Filerase it is spread through the victim's network from an initial computer using a list of remote computers. This list is present in the form of a text file and is unique to each victim, which means that attackers are able to collect this information during a reconnaissance phase prior to the intrusion. This list is first copied from a component called OCLC.exe and then passed to another tool called spreader.exe.
It should never be forgotten that the method of attack follows, however, always the classic chain of attack.
History:
Shamoon (W32.Disttrack) first surfaced in 2012 when it was used in a series of disruptive attacks on the Saudi energy sector.
Behind these attacks, Microsoft Threat Intelligence has identified a group known as TERBIUM, the name assigned by Microsoft itself according to a criterion where the terminology used refers to names of chemical elements.
Microsoft Threat Intelligence has observed that the malware used by TERBIUM, dubbed "Depriz", reuses various components and techniques already seen in the 2012 attacks and has been highly customized for each organization.
In any case, the malware components are 3 and have been decoded as follows:
PKCS12 - a destructive disk wiper component
PKCS7 - a communication module
X509 - 64-bit variant of the Trojan / implant
Since the credentials have been incorporated into the malware, of course, it is suspected that the credentials themselves have been stolen previously.
Once TERBIUM has access to the organization, the chain of infection begins by writing a disk executable file that contains all the components necessary to perform the data erase operation. These components are encoded in executables in the form of false images.
Even if the extent of the damage caused by this attack, worldwide, is still unknown, as in many other cases it is possible to mitigate the risk of attack using systems, processes and solutions that exploit new technologies and that guarantee to raise the level of security and to know in real time what is happening on the systems.
It is therefore necessary to define a security strategy that covers each of the areas of the Kill Chain Attack and, above all, not to think of defending itself with systems that do not exploit Threat Intelligence solutions based on Artificial Intelligence and Machine Learning. In a deeply changed scenario in which the attackers exploit new and advanced technologies, it is no longer possible to defend themselves by using systems with a similar power.
Since the attacks have been carried out on Microsoft-based architectures, I feel compelled to provide the solutions that Microsoft suggests in these cases. Obviously, everyone can use similar solutions from other vendors. The important thing, though, is to always remember to
- protect identity by enabling at least multi factor authentication;
- protect authentication services using behavioral analysis systems;
- protect endpoints with systems that are able to control lateral movement, privilege escalation, identity and ticket theft attempts;
- update the operating systems to the latest version of the Enterprise model, enabling all the security features;
- protect the mail through the use of anti-phishing solutions based on the concept of sandboxing;
- where there are hybrid architectures, use CASB (Cloud Access Broker) systems.
It remains clear that solutions and products are not enough but also serves and above all training, sensitivity to a theme that, unfortunately, is present in everyday life and the willingness to change an approach to the problem best suited to the scenario current.
