Although not widely distributed, Disttrack/Shamoon is surprisingly aggressive. These days it is more usual for malware to covertly steal data from its victims; but this one draws attention by destroying it. This is puzzling. “Why would someone invest time to prepare a campaign, send a spear-phishing email with a malicious document attached and waste a 0-day vulnerability in order to silently install a sophisticated malware... Why would someone wipe files in a targeted attack and make the machine unusable?” asks SecuLert.
SecuLert’s analysis shows the malware first infects a computer attached to the internet, and then seeks to infect other machines on the internal network that might not be directly connected to the internet. What Disttrack does to - or on - those systems is not clear, because it then wipes the data and overwrites the MBR – but not before sending a list of the wiped files to the original computer, which then sends them to the attacker’s C&C server.
Symantec points out that Disttrack/Shamoon comprises three primary modules: a dropper, a wiper and a reporter. It is the wiper component that is destructive, overwriting files with a JPEG image. “The following string that points to the location of debug symbols was left in the Wiper component of this threat and gives an idea of where the component was located on the developer’s computer: C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb,” notes Symantec. This string has given rise to some conjecture on both the source and motivation for the malware – but it is just conjecture.
The purpose of the malware isn’t clear, notes Kaspersky, “but the tool is collecting data from infected machines and sending off to parts unknown. That puts it in the league of the cyber espionage tools that have become the favored weapons of attackers of late.” Flame, and its own wiper component, comes to mind; but Kaspersky does not believe that the two are connected. “It is more likely that this is a copycat, the work of a script kiddies inspired by the story.”
Nevertheless, further analysis of Disttrack/Shamoon is a work in progress.