Shamoon: fraudulent virus active again, main target - Middle East

Shamoon is back. The main target – the Middle East

New Shamoon includes a wiper component which erases files permanently.

The infamous malware named Shamoon, also recognized as Disttrack, is a well-known threat which became famous for its hazardous activity caused in the past.^[1] It first emerged in August 2012 and managed to make attempts against numerous Saudi Arabia computer users causing serious contamination of their systems.^[2]

However, Shamoon did not show any signs of activity for about two years until now. The virus came to the surface again just several days ago – on the 10th of December – when it made several attempts against its victims who appear to be located in the Middle East. This cruel attack was first discovered when Saipem, an Italian oil company, announced that their servers were hit by the cyber threat.^[3]

As the company has stated, around 100 computers and 400 servers were affected by the Shamoon virus. Moreover, the company has claimed that they are taking all actions necessary to restore everything back as it was before the virus initiated its damage:

We are collecting all the elements useful for assessing the impact on our infrastructures and the actions to be taken to restore normal activities.

An interesting part in this is that a cybersecurity researcher from Symantec has discovered that some other organizations which have also been affected by this dangerous malware are also making business with oil and gas.^[4] However, they are located in Saudi Arabia and the United Arab Emirates.

The virus includes a wiper named Trojan.Filerase

The latest attacks are even more dangerous and destructive when compared to the previous campaigns as the virus includes a new wiper known as Trojan.Filerase.^[5] This component is capable of erasing and rewriting all files and documents from the infected computer systems before the master boot record is wiped out by Shamoon, and turned unusable.^[6] As a result, Shamoon virus has become even more dangerous and more hazardous.

Note that if this cyber threat was used alone, it would not receive such success comitting its cyber crimes. The new wiper Trojan.Filerase appears to be an extremely dangerous component which, when it wipes all files successfully, no recovery can be performed to bring them back.

The Filerase malware has an interesting distribution technique as well. It can be spread to numerous users just by infecting one computer and then using a list of remote machines. The virus is also using the Spreader.exe tool which is capable of copying Filerase to the machines that are on the list. After that, the malware is passed to the targeted computer systems.

There might be relations between Shamoon and Trojan.Stonedrill

Cybersecurity experts might have found some relations between Shamoon virus and another malware called Trojan.Stonedrill. Saudi Arabia has recently experienced attempts not only from Shamoon but from another cybercriminals' group known as Elfin or APT33.

These crooks used Stonedrill malware to infect the targeted systems and perform their damaging activities. Nevertheless, there were other attacks that were launched targeting the same organization. The Elfin and Shamoon attacks spreading at the same time let people speculate that maybe the hackers were working together in some ways.

Additionally, Shamoon malware might leave some files in the infected computer system from which it can be recognized. Take a look and be able to spot the signs of this dangerous infection:^[7]

• _tdibth.exe
• _wialx002.exe
• acpipmi2z.exe
• af0038bdax.exe
• arcx6u0.exe
• averfix2h826d_noaverir.exe
• hidirkbdmvs2.exe
• mdamx_5560.exe
• mdmgcs_8.exe
• mdmusrk1g5.exe
• megasasop.exe
• netbxndxlg2.exe
• prncaz90x.exe
• prngt6_4.exe
• prnlx00ctl.exe
• prnsv0_56.exe
• tsprint_ibv.exe
• vsmxraid.exe
• wiacnt7001.exe