New Shamoon variant contain Anti-American themed messages and detection evasion techniques

• The new sample of Shamoon obfuscates detection by behaving like a system optimization tool.
• The Shamoon variant is signed with a digital certificate that was issued on March 25, 2015, and expired on March 26, 2016.

A new sample of the destructive disk-wiping malware Shamoon was recently discovered on VirusTotal. The malware variant was uploaded to the platform on December 23, 2018, from France. It tries to bypass detection by leveraging a digital certificate from the Chinese technology company Baidu.

Propagation of the new Shamoon variant

The new sample of Shamoon obfuscates detection by behaving like the system optimization tool Enigma version 4. The variant is signed with a digital certificate that was issued on March 25, 2015, and expired on March 26, 2016.

Threat actors conducting attacks against oil and gas companies in the Middle East have typically been using the new Shamoon variant to attack firms in the same area, as well as in Europe. Researchers from Anomali Labs found that the new sample of Shamoon uses an image of a burning US dollar as a part of its attack.

“The image includes the text ‘WE WILL TAKE REVENGE ON THE BLOOD AND TEARS OF OUR CHILDREN’ which is displayed in tandem with the overwriting of files on a victim's system,” Anomali researchers said in a blog post.

Capabilities

To deceive users, attackers disguised the malware as various file names such as ‘Baidu PC Faster’ and ‘Baidu WiFi Hotspot Setup’.

“In this case, the malicious internal file name is ‘Baidu PC Faster’ and uses the description ‘Baidu WiFi Hotspot Setup’. A closer inspection of the file resources utilized by the sample reveals similarities with Shamoon V2 malware. Specifically, the resource ‘GRANT’ is included which indicates that this sample was like compiled based on the second version of the codebase,” wrote Anomali Labs researchers.

The new Shamoon variant’s capabilities include deleting files from infected systems and making the machines unbootable. Currently, there is no evidence of the new malwaer sample having been used in the wild.

“At this time, Anomali Labs has not confirmed that this sample has been used to target victims in the wild. However, historic Shamoon 2 attacks occurred in November 2016 and late January 2017. The possibility for targeted attacks occurring during western holidays exists. This possibility is highlighted by the use of US currency in the political image that accompanies the destructive malware,” Anomali Labs researchers explained.