Shamoon is a type of destructive malware that has been previously associated with attacks against various organizations in the oil and gas industry that we've been tracking since 2012. A new variant of this threat, identified as Shamoon 2, has been used against several compromised organizations and institutions. Throughout 2017, Talos observed an increase in Shamoon 2 activity and responded to ensure our customers remained protected.

On Dec. 10, Talos observed a new Shamoon 3 variant (c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f) that was uploaded to VirusTotal. While it is unclear where this sample came from, it shares many of the characteristics of the Shamoon 2 variant. Talos once again responded to ensure our customers are protected with all the existing coverage mechanisms. Additionally, Talos will continue to monitor for new developments to ensure our customers remain protected.

Propagation

Shamoon 2 has been observed targeting very specific organizations and propagating within a network via network enumeration and the use of stolen credentials. Some of the credentials are organization specific from individuals or shared accounts. Other credentials are the default accounts of products used by the targeted customers.

Coverage

Coverage for Shamoon 2 is available through Cisco security products, services, and open source technologies. Note that as this threat evolves, new coverage may be developed and existing coverage adapted or modified. As a result, this post should not be considered authoritative. For the most current information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules

  • 23893
  • 23903
  • 23905-23933
  • 24127
  • 40906

ClamAV Signatures

  • Win.Dropper.DistTrack-*
  • Win.Trojan.DistTrack.*
  • Win.Malware.DistTrack.*

AMP Detection

  • W32.GenericKD:Malwaregen.20c3.1201
  • W32.Malwaregen.19nb.1201
  • W32.47BB36CD28-95.SBX.TG
  • W32.Malwaregen.19nb.1201
  • W32.Generic:Malwaregen.20c3.1201
  • Win.Malware.DistTrack
  • W32.128FA5815C-95.SBX.TG
  • W32.C7FC1F9C2B-95.SBX.TG
  • W32.EFD2F4C3FE-95.SBX.TG
  • W32.010D4517C8-95.SBX.TG
  • Win.Malware.DistTrack.Talos

Other Mitigation Strategies

Recent Shamoon 2 activity serves as a good reminder that users and organizations need to have a comprehensive disaster recovery plan. No one can say for certain if you will be targeted by destructive malware but we can say with 100% certainty that all drives fail. Without a proper system to backup and restore your data, you risk permanently losing your data. Ensuring your assets are properly backed up and can be quickly restored is critical should a system become compromised by Shamoon, ransomware, or other destructive malware and require a complete restoration.