New Variant of Shamoon Surfaces, Targets Saudi Arabian Organizations

The end of 2016 saw the return of a familiar attack campaign that wipes the disk of any infected computer. Dubbed Shamoon 2, it appears to related to the 2012 Shamoon campaign that targeted an organization in Saudi Arabia and made use of a disk wiper called DistTrack. Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable. The attack four years ago resulted in 30,000 or more systems being damaged to oil company Saudi Aramco. Shamoon 2 was scheduled to execute its wiping activities on November 17, 2016. No one has identified the threat actors behind either the original attack campaign or this new one, but the they appear to have targeted a second Saudi Arabian organization, with the payload set to execute on November 29, 2016. This new campaign targeted the labor ministry and a chemicals firm. Luckily for the organizations, the malware was discovered and defused before the scheduled execution dates. There is no information as to how the malware was delivered to the targeted organizations, but it is likely that the threat actors performed reconnaissance on the target networks during a previous intrusion to map the networks and identify systems to deliver the malicious payload to.