Destructive Shamoon attack targets energy sector

A new spear-phishing attack targeting a number of specific companies in a few industries including the energy sector has been spotted by several security companies.

Dubbed “Shamoon” due to a string of a folder name within the malware executable, the attack ends up with delivering destructive malware on the targeted computers that ends up making them unusable.

“The interesting part of this malware is that instead of staying under the radar and collect information, the malware was designed to overwrite and wipe the files and the Master-Boot Record of the computer,” Seculert researchers pointed out.

“While it’s rare to find this type of malware in targeted attacks, our friends at Kaspersky Lab suggest that this is the same behavior of the wipe malware found attacking machines in Iran that were infected with Flame.”

But Kaspersky Lab experts doubt that this malware is the same that attacked Iran in April 2012.

“The original ‘Wiper’ was using certain service names together with specific filenames for its drivers which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware,” they shared. “It is more likely that this is a copycat, the work of a script kiddies inspired by the story.”

Websense says that detection for the dropper component of the malware has been added to its Advanced Classification Engine in December 2010.

“When the Dropper executes, it installs several files on the system, including a signed driver (not malicious) that is used to interact with the file system,” Websense researchers say. “We are not sure how the malware writers were able to sign the file using a 3rd party organization’s certificate. Most likely it was stolen in a previous attack.”

The other two components of the malware are the Wiper, the component that overwrites files and the MBR, and the Reporter, which sends infection information back to the attacker (domain name, the number of overwritten files, and the IP address of the compromised computer).

It’s difficult to say who might be behind the attack, as it is unusually destructive and, therefore, definitely not stealthy.

Seculert researchers say that the attack consists of two stages: first the attacker takes control of an internal machine connected directly to the Internet and uses it as a proxy to infect other machines probably not connected directly to the Net, then deploys the Shamoon malware, wreaks havoc on the machines, and has it reporting back to him through the proxy.

The researchers have not said which company has been the target of Shamoon attacks, but it is widely speculated that it could be Saudi Aramco, the world’s largest oil company, which has yesterday reported a serious security breach which may caused major disruptions in their network.