New research from Symantec has revealed that recent attacks involving the destructive malware Shamoon (W32.Disttrack.B) were aimed at specific Middle East targets, although those suspected of being behind them appear to be linked to a much wider campaign.
In a blog post on its website, the firm explained that whilst the attackers were able to compromise multiple victims in the region, only selected organizations in or linked to Saudi Arabia were targeted with the destructive wiping attacks.
Symantec claimed the campaign was carried out by a group they have identified as Timerworm, who facilitated the third wave of attacks involving Shamoon in January 2017, with the group also suspected of being part of a much larger operation infiltrating a far broader range of organizations than those affected by the Shamoon attacks.
“During the January attacks, Symantec discovered a high correlation between Timberworm and the presence of Shamoon in a number of organizations in Saudi Arabia,” wrote a Symantec security researcher. “Timberworm appears to have gained access to these organizations’ networks weeks and, in some cases, months before the Shamoon attacks occurred.”
Once on the network, the attackers' primary goal was detailed network reconnaissance, credential harvesting and persistent remote access, Symantec added, with Shamoon preconfigured with a wipe date and the necessary credentials to maximize the overall impact during a coordinated attack.
Symantec said that Timberworm’s planned campaign saw them target individuals at certain companies with spear phishing emails, some of which contained Microsoft Word or Excel files as attachments, whilst others contained malicious links to similar files.
Opening the documents invoked PowerShell from a malicious macro, granting the attackers remote access to the affected computer. Once Timberworn established the target was of interest it deployed custom malware, hacktools and software traditionally used in system/network administration.
From there, the cyber-criminals configured the Shamoon payloads per organization and then coordinated the attacks on a pre-determined date.
“The Shamoon attacks illustrate how a growing number of targeted attack groups are relying on common-off-the-shelf tools to compromise targets,” continued Symantec. “The Shamoon attackers managed to get access to targets’ networks using socially engineered spear phishing emails and abusing Office macros and PowerShell to gain initial footholds. In particular, the use of PowerShell has been a popular tactic of late.
“The appeal of ‘living off the land’ is obvious. Attackers believe malicious activity will be more difficult to detect if legitimate tools are involved and malware use is kept to a minimum. The use of legitimate tools may also serve to thwart attribution to specific actors.”