Researchers have released new findings showcasing overlapping source code and techniques between Shamoon and Kwampirs. The findings suggest that the same group is behind these malware or different groups are working together.
The link between the duo
Researchers have identified some connections between the various variants of Shamoon and Kwampirs. It seems that Kwampirs is based on the original Shamoon. Further, Shamoon 2 and 3 campaign code is based on Kwampirs, implying the authors of Kwampirs could be the same as the authors of Shamoon.
The connection is based on malware artifacts and previously unnoticed components, including an intermediate version—a Shamoon dropper—which can be considered as a base version.
Diving into the details
- The Shamoon dropper is without a wiper feature and reuses the loader code of Kwampirs.
- For example, these malware families have similar code for retrieving system metadata, fetching MAC address, victim's keyboard layout info, use of the same InternetOpenW Windows API to craft HTTP requests to the C2 server.
- Further, the malware families use a common template system to create the reporter module housing capabilities to upload host info and download additional payloads to execute from their C2 servers.
Conclusion
The recent disclosure regarding links between the two malware families shows cooperation between cybercriminals. Maybe, there is only one group operating with multiple sub-groups with the same goal. Whatever the case, organizations should be ready with effective countermeasures like reliable anti-malware solutions and leverage threat intelligence insights to thwart such threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_501671095.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0fcd_shutterstock_1331092814.jpg)
