Researchers have attributed a new wave of Shamoon disk wiper attacks to Iranian hacking group APT33.
The attacks targeted several energy, telecoms and government organizations in the Middle East, often via suppliers in Europe. They include version 3 of Shamoon, a malware family first used in the infamous destructive attack on Saudi Aramco in 2012 which wiped over 30,000 machines.
Unlike that, and subsequent raids on Saudi targets in 2016/17 which used Shamoon v2 and the Stonedrill wiper, this wave of attacks used a new modular approach and wiper.
A .Net toolkit features capabilities to read a list of targeted computers; extract OS info and spread the file eraser in each machine; remotely execute the wiper via PsExec; and a new wiper, Filerase.
“The attackers have essentially packaged an old version (v2) of Shamoon with an unsophisticated toolkit coded in .Net. This suggests that multiple developers have been involved in preparing the malware for this latest wave of attacks,” McAfee security researcher, Thomas Roccia, explained.
“In our last post, we observed that Shamoon is a modular wiper that can be used by other groups. With these recent attacks, this supposition seems to be confirmed. We have learned that the adversaries prepared months in advance for this attack, with the wiper execution as the goal.”
Unlike the Shamoon v3 code, Neterase and the toolkit are not obfuscated. The researchers were therefore able to find ASCII art inside the .Net wiper, with a message from the Quran.
Victims were infected via phishing websites featuring job ads, which allowed the attackers to grab their credentials and from there deploy the toolkit.
Both wipers, Shamoon v3 and Filerase, are then spread to the victim machine: the former overwriting files and disk sectors and the latter erasing files and folders.