Advisory December 18, 2018

Shamoon v3

Obrela SOC

Shamoon v3 is a modular virus, also known as W32.DisTrack, that has recently re-emerged and hit oil, gas, energy, telecom, and government organizations in the Middle East and southern Europe. The Security Operations Center of Obrela Security Industries wants to keep our customers continuously updated of the malware’s course through this and the campaigns to follow as well as to provide threat mitigation and prevention guidance. SOC is equipped to identify this threat with speed and precision.

What is it about?

Although there are few available details of how exactly the attack is delivered, phishing emails or stolen credentials are the most likely source. Following its delivery, the malware quickly takes measures in order to appear legitimate and maintain persistence. It then collects data regarding the target system and determines whether to drop the 32-bit or 64-bit version. It then proceeds to decrypt its contents and installs them into the system. The worm component, previously contained into its contents, uses spreading techniques to infect machines. Meanwhile, a system service, called MaintenaceSrv, will be created in order to later run the wiper component. This component will delete and overwrite files on the infected computer so they cannot be recovered, erase the master boot record of the computer and force a reboot, rendering it unusable, thus completing its purpose.

What is the impact of this attack?

As a result of this attack, machine’s infected files will be unrecoverable and the machines themselves unusable after either a blue screen or driver error.

What our customers should do as part of mitigation and prevention actions

  • Utilize this signatures in AV/EDR tools to identify infection using specific hashes:
d9e52663715902e9ec51a7dd2fea5241c9714976e9541c02df66d1a42a3a7d2a
  • Executes the Spreader.exe component
35ceb84403efa728950d2cc8acb571c61d3a90decaf8b1f2979eaf13811c146b
  • Spreader.exe
5203628a89e0a7d9f27757b347118250f5aa6d0685d156e375b6945c8c05eb8a
  • Trojan.Filerase component
0266be9130bdf20976fc5490f9191edaafdae09ebe45e74cd97792412454bf0d
  • Trojan.Filerase component
bd2097055380b96c62f39e1160d260122551fa50d1eccdc70390958af56ac003
  • W32.Disttrack.B
c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f
  • W32.Disttrack.B
0975eb436fb4adb9077c8e99ea6d34746807bc83a228b17d321d14dfbbe80b03
  • W32.Disttrack.B
0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe
  • W32.Disttrack.B
391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c
  • Disttrack Wiper module x86
6985ef5809d0789eeff623cd2436534b818fd2843f09fa2de2b4a6e2c0e1a879
  • ElDos RawDisk Driver x86
ccb1209122085bed5bded3f923835a65d3cc1071f7e4ad52bc5cf42057dd2150
  • Disttrack Comms module x64
dab3308ab60d0d8acb3611bf364e81b63cfb6b4c1783864ebc515297e2297589
  • Disttrack Wiper module x64
bc4513e1ea20e11d00cfc6ce899836e4f18e4b5f5beee52e0ea9942adb78fc70
  • ElDos RawDisk Driver x64
df177772518a8fcedbbc805ceed8daecc0f42fed
  • Original dropper x86
ceb7876c01c75673699c74ff7fac64a5ca0e67a1
  • Wiper
10411f07640edcaa6104f078af09e2543aa0ca07
  • Worm module
43ed9c1309d8bb14bd62b016a5c34a2adbe45943
  • key8854321.pub
bf3e0bc893859563811e9a481fde84fe7ecd0684
  • RawDisk driver