{ "Event": { "analysis": "2", "date": "2017-03-27", "extends_uuid": "", "info": "OSINT - Shamoon 2: Delivering Disttrack", "publish_timestamp": "1490617391", "published": true, "threat_level_id": "3", "timestamp": "1490616352", "uuid": "58d8fea3-e924-4905-9a11-4ea6950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"Shamoon\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490616352", "to_ids": false, "type": "link", "uuid": "58d8feea-28d8-49b8-b606-40fa950d210f", "value": "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#80ff00", "local": false, "name": "PAP:WHITE", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490616352", "to_ids": false, "type": "text", "uuid": "58d8fef9-6938-4114-bac6-5fe0950d210f", "value": "Since late November 2016, the Shamoon 2 attack campaign has brought three waves of destructive attacks to organizations within Saudi Arabia. Our investigation into these attacks has unearthed more details into the method by which the threat actors delivered the Disttrack payload. We have found evidence that the actors use a combination of legitimate tools and batch scripts to deploy the Disttrack payload to hostnames known to the attackers to exist in the targeted network.\r\n\r\nOur analysis shows that the actors likely gathered the list of known hostnames directly from Active Directory or during their network reconnaissance activities conducted from a compromised host. This network reconnaissance, coupled with the credential theft needed to hardcode Disttrack payloads with legitimate username and password credentials, leads us to believe that it is highly likely the threat actors had sustained access to the targeted networks prior to Shamoon 2 attacks. Our research confirms that successful credential theft from targeted organizations was an integral part of the Shamoon 2 attackers\u00e2\u20ac\u2122 playbook, and they used these stolen credentials for remote access and lateral movement.\r\n\r\nOur analysis also shows an actor distributes Disttrack within the targeted network by first compromising a system that is used as the Disttrack distribution server on that network. The actor then uses this server to compromise other systems on the network by using the hostname to copy over and execute the Disttrack malware. On each of these named systems that are successfully compromised, the Disttrack malware will attempt to propagate itself to 256 additional IP addresses on the local network. This rudimentary, but effective, distribution system can enable Disttrack to propagate to additional systems from a single, initially compromised system in a semi-automated fashion.\r\n\r\nIn this posting we also explore a possible connection between Shamoon 2 and the Magic Hound campaign, where we outline evidence of a potential connection between these two attack campaigns. Furthermore, we explore a possible scenario on how these two attack campaigns could have worked in conjunction with each other to execute the Shamoon 2 attacks.", "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#80ff00", "local": false, "name": "PAP:WHITE", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "exec-template.txt", "deleted": false, "disable_correlation": false, "timestamp": "1490616352", "to_ids": true, "type": "sha256", "uuid": "58d8ff4a-fbe0-4f74-bb4f-1580950d210f", "value": "4919436d87d224f083c77228b48dadfc153ee7ad48dd7d22f0ba0d5090b5cf9b", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ok.bat", "deleted": false, "disable_correlation": false, "timestamp": "1490616352", "to_ids": true, "type": "sha256", "uuid": "58d8ff4b-7820-403e-8f3e-1580950d210f", "value": "5475f35363e2f4b70d4367554f1691f3f849fb68570be1a580f33f98e7e4df4a", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "pa.exe", "deleted": false, "disable_correlation": false, "timestamp": "1490616352", "to_ids": true, "type": "sha256", "uuid": "58d8ff4e-2c70-4874-abdc-1580950d210f", "value": "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ntertmgr32.bat", "deleted": false, "disable_correlation": false, "timestamp": "1490616352", "to_ids": true, "type": "sha256", "uuid": "58d8ff50-6ea0-43a2-b2b8-1580950d210f", "value": "c7f937375e8b21dca10ea125e644133de3afc7766a8ca4fc8376470277832d95", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ntertmgr32.bat - Xchecked via VT: c7f937375e8b21dca10ea125e644133de3afc7766a8ca4fc8376470277832d95", "deleted": false, "disable_correlation": false, "timestamp": "1490616363", "to_ids": true, "type": "sha1", "uuid": "58d9002b-e568-418a-92c4-3aa902de0b81", "value": "d6e98ff295345579e35d8ba21693a64dd80c03a2", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ntertmgr32.bat - Xchecked via VT: c7f937375e8b21dca10ea125e644133de3afc7766a8ca4fc8376470277832d95", "deleted": false, "disable_correlation": false, "timestamp": "1490616365", "to_ids": true, "type": "md5", "uuid": "58d9002d-0a30-4fd6-8140-3aa902de0b81", "value": "271554cff73c3843b9282951f2ea7509", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "ntertmgr32.bat - Xchecked via VT: c7f937375e8b21dca10ea125e644133de3afc7766a8ca4fc8376470277832d95", "deleted": false, "disable_correlation": false, "timestamp": "1490616367", "to_ids": false, "type": "link", "uuid": "58d9002f-0760-4a5f-af91-3aa902de0b81", "value": "https://www.virustotal.com/file/c7f937375e8b21dca10ea125e644133de3afc7766a8ca4fc8376470277832d95/analysis/1488902359/", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "pa.exe - Xchecked via VT: 01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", "deleted": false, "disable_correlation": false, "timestamp": "1490616369", "to_ids": true, "type": "sha1", "uuid": "58d90031-3a34-425b-810a-3aa902de0b81", "value": "31754ee85d21ce9188394a939c15a271c2562f93", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "pa.exe - Xchecked via VT: 01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", "deleted": false, "disable_correlation": false, "timestamp": "1490616371", "to_ids": true, "type": "md5", "uuid": "58d90033-ba7c-4232-9d59-3aa902de0b81", "value": "22e9853298c96b1ab89d8f71c4e82302", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "pa.exe - Xchecked via VT: 01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", "deleted": false, "disable_correlation": false, "timestamp": "1490616372", "to_ids": false, "type": "link", "uuid": "58d90034-4324-4c20-a8d6-3aa902de0b81", "value": "https://www.virustotal.com/file/01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc/analysis/1490509472/", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] } ] } }