The Full Shamoon: How the Devastating Malware Was Inserted Into Networks
This post was co-authored with IBM X-Force's Kevin Albano.
---
---
Researchers
from the IBM X-Force Incident Response and Intelligence Services (IRIS) team
identified a missing link in the operations of a threat actor involved in
recent Shamoon malware attacks against Gulf state organizations. These attacks,
which occurred in November 2016 and January 2017, reportedly affected thousands
of computers across multiple government and civil organizations in Saudi Arabia
and elsewhere in Gulf states. Shamoon is designed to destroy computer hard
drives by wiping the master boot record (MBR) and data irretrievably, unlike
ransomware, which holds the data hostage for a fee.
Through
their recent investigations, our forensics analysts pinpointed the initial
compromise vector and post-compromise operations that led to the deployment of
the destructive Shamoon malware on targeted infrastructures. It’s worth
mentioning that, according to X-Force IRIS, the initial compromise took place
weeks before the actual Shamoon deployment and activation were launched.
Shamoon Attacks Preceded by Malicious Macros and PowerShell Commands
Since
Shamoon incidents feature the infiltration and escalation stages of targeted
attacks, X-Force IRIS responders sought out the attackers’ entry point. Their
findings pointed to what appears to be the initial point of compromise the
attackers used: a document containing a malicious macro that, when approved to
execute, enabled C2 communications to the attacker’s server and remote shell
via PowerShell.
The
document was not the only one discovered in the recent attack waves. X-Force
IRIS researchers had been tracking earlier activity associated with similar
malicious, PowerShell-laden documents themed as resumes and human resources
documents, some of which related to organizations in Saudi Arabia. This
research identified several bouts of offensive activity that occurred in the
past few months, which revealed similar operational methods in which the
attackers served malicious documents and other malware executables from web
servers to their targets to establish an initial foothold in the network.
Read more of this post here.
Comments
Post a Comment