{ "Event": { "analysis": "2", "date": "2017-01-11", "extends_uuid": "", "info": "OSINT - Second Wave of Shamoon 2 Attacks Identified", "publish_timestamp": "1484171675", "published": true, "threat_level_id": "3", "timestamp": "1484171665", "uuid": "5876a2cd-0a90-4f5b-9488-d567950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#770095", "local": "0", "name": "ms-caro-malware:malware-platform=\"Win32\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:tool=\"Shamoon\"", "relationship_type": "" }, { "colour": "#065000", "local": "0", "name": "misp-galaxy:tool=\"Wipbot\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1484169966", "to_ids": false, "type": "comment", "uuid": "5876a2ee-e7d0-4b7c-ba95-f74c950d210f", "value": "In November 2016, we observed the reemergence of destructive attacks associated with the 2012 Shamoon attack campaign. We covered this attack in detail in our blog titled Shamoon 2: Return of the Disttrack Wiper, which targeted a single organization in Saudi Arabia and was set to wipe systems on November 17, 2016. Since our previous publication, we have found another, similar but different payload used to target a second organization in Saudi Arabia that was configured to wipe systems twelve days later on November 29, 2016. This latest attack potentially materially impacts one of the primary countermeasures employed against wiper attacks: Virtual Desktop Interface snapshots.\r\n\r\nThe payload used in this attack was very similar to the November 17, 2016 payload, but exhibited slightly different behaviors and contained hardcoded account credentials specific to the newly targeted organization. The hardcoded account credentials met Windows password complexity requirements, which suggests that the threat actors obtained the credentials through a previous, separate attack, similar to the November 17, 2016 attack.\r\n\r\nThe most notable thing about this latest sample is that it contains several usernames and passwords from official Huawei documentation related to their virtual desktop infrastructure (VDI) solutions, such as FusionCloud. VDI solutions can provide some protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems. The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack. If true, this is a major development and organizations should consider adding additional safeguards in protecting the credentials related to their VDI deployment.\r\n\r\nAt this time, we have no details of the attack we believe preceded this Shamoon attack to obtain credentials. We also have no details on the delivery method used to deliver the new, similar, but different Disttrack payload in this attack." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1484169979", "to_ids": false, "type": "link", "uuid": "5876a2fb-af9c-48af-a5d4-f747950d210f", "value": "http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/" }, { "category": "Payload delivery", "comment": "64-bit Disttrack", "deleted": false, "disable_correlation": false, "timestamp": "1484170034", "to_ids": true, "type": "sha256", "uuid": "5876a332-b0dc-4afe-b3ec-8845950d210f", "value": "010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb" }, { "category": "Payload delivery", "comment": "Communication", "deleted": false, "disable_correlation": false, "timestamp": "1484170034", "to_ids": true, "type": "sha256", "uuid": "5876a332-34d8-4298-b1a5-8845950d210f", "value": "efd2f4c3fe4e9f2c9ac680a9c670cca378cef6b8776f2362ed278317bfb1fca8" }, { "category": "Payload delivery", "comment": "Wiper", "deleted": false, "disable_correlation": false, "timestamp": "1484170035", "to_ids": true, "type": "sha256", "uuid": "5876a333-5758-40ee-b1ab-8845950d210f", "value": "113525c6bea55fa2a2c6cf406184092d743f9d099535923a12cdd9b9192009c4" }, { "category": "Payload delivery", "comment": "vdsk911.sys", "deleted": false, "disable_correlation": false, "timestamp": "1484170036", "to_ids": true, "type": "sha256", "uuid": "5876a334-90d8-4274-8e12-8845950d210f", "value": "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" }, { "category": "Payload delivery", "comment": "vdsk911.sys - Xchecked via VT: 5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a", "deleted": false, "disable_correlation": false, "timestamp": "1484170291", "to_ids": true, "type": "sha1", "uuid": "5876a433-27c0-4ff0-ac22-49fa02de0b81", "value": "1292c7dd60214d96a71e7705e519006b9de7968f" }, { "category": "Payload delivery", "comment": "vdsk911.sys - Xchecked via VT: 5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a", "deleted": false, "disable_correlation": false, "timestamp": "1484170292", "to_ids": true, "type": "md5", "uuid": "5876a434-dd10-4e13-9056-4f1902de0b81", "value": "76c643ab29d497317085e5db8c799960" }, { "category": "External analysis", "comment": "vdsk911.sys - Xchecked via VT: 5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a", "deleted": false, "disable_correlation": false, "timestamp": "1484170292", "to_ids": false, "type": "link", "uuid": "5876a434-27f8-4a7a-ac74-4f2502de0b81", "value": "https://www.virustotal.com/file/5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a/analysis/1484152712/" }, { "category": "Payload delivery", "comment": "64-bit Disttrack - Xchecked via VT: 010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb", "deleted": false, "disable_correlation": false, "timestamp": "1484170293", "to_ids": true, "type": "sha1", "uuid": "5876a435-1de4-428a-81c5-4f1102de0b81", "value": "c8552de54ae5dba238103747b637863392616f70" }, { "category": "Payload delivery", "comment": "64-bit Disttrack - Xchecked via VT: 010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb", "deleted": false, "disable_correlation": false, "timestamp": "1484170294", "to_ids": true, "type": "md5", "uuid": "5876a436-9e30-416c-a6e5-482e02de0b81", "value": "ba170958fd5b01967d5bcde6b1347425" }, { "category": "External analysis", "comment": "64-bit Disttrack - Xchecked via VT: 010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb", "deleted": false, "disable_correlation": false, "timestamp": "1484170294", "to_ids": false, "type": "link", "uuid": "5876a436-8878-41fb-9c0e-49d902de0b81", "value": "https://www.virustotal.com/file/010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb/analysis/1484152734/" } ] } }