Shamoon, a two-stage targeted attack
The interesting part of this malware is that instead of staying under the radar and collect information, the malware was designed to overwrite and wipe the files and the Master-Boot Record of the computer. Why would someone wipe files in a targeted attack and make the machine unusable?
While it's rare to find this type of malware in targeted attacks, our friends at Kaspersky Lab suggest that this is the same behavior of the wipe malware found attacking machines in Iran, that were infected with another unknown malware. This then lead Kaspersky to the discovery of Flame.
Furthermore, Shamoon is collecting the names of the files it has overwritten and sending this information to another internal machine within the compromised company network. The samples we analyzed communicated with a local IP address 10.1.252.19 (see Figure 1).
The evidence above suggests that this is a two-stage attack:
The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command-and-Control (C2) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet.
Once the intended action on the internal infected machines was complete, the attacker executed the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines. It then reported back to the external C2 through the proxy.
»
blog.seculert.com/2012/0 ··· ack.htmlThe samples are especially interesting because they contain a module with the following string:
C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb
Of course, the wiper reference immediately reminds us of the Iranian computer-wiping incidents from April 2012 that led to the discovery of Flame.
The malware is a 900KB PE file that contains a number of encrypted resources:
»
www.securelist.com/en/bl ··· _at_Work