Once you are logged in, you will be able to:

Customize your feeds by selecting categories you like

Comment on or Like an article

Receive the latest security stories, trends, and insights in your inbox

Build your profile and login across multiple devices

Bookmark a story and read it later

To use Cyware you must have cookies enabled. By Registering or Signing in, you agree to our Terms and Privacy Policy. You can also signup using Google Account. We will not use your credentials to import contacts or post anything on your account without your permission.For more info, please see Login FAQ.

Shamoon disk-wiping malware returns with a new variant

December 18, 2018

|
Malware and Vulnerabilities
Share on Whatsapp

Share on LinkedIn

Share on Twitter

Share on Facebook

Shamoon disk-wiping malware returns with a new variant

The disk-wiping malware was spotted last week in two attacks.
The come-back noted a different strain of the malware.

Earlier last week, the disk-wiper malware was spotted back in action, with not just one, but two occurrences. The second sighting observed a different strain of the malware and was uploaded to VirusTotal on December 13, 2018, from a user in the Netherlands.

The new sample of Disstrack shares several similarities and few contrasts from its predecessor. Among the few contrasts is the trigger date, still set in the past to December 12, 2017.

The detonation date still set in the past

A trigger or detonation date is typically set to activate the malware. In the new sample’s case, it's not clear why the threat actor used dates in the past.

“The Shamoon can retrieve detonation dates from its command and control (C2) server; the samples examined by Anomali Labs did not have the C2 configured,” Ghareeb Saad, Threat Intelligence Manager at Anomali told BleepingComputer

Another explanation for the trigger date to be set in the past is that the adversary wanted Shamoon to become active immediately after reaching the target.

"This may be achieved by altering the detonation date to 1 year in the past. Therefore, it is possible that a sample with a detonation date of December 12, 2017, represents the second wave of Shamoon V3 malware that was utilized on December 12, 2018," Researchers from Anomali Labs said.

UPX packed

The newly uncovered second sample that contained detonation date of December 12, 2017, is UPX (Ultimate Packer for eXecutable) packed. Other samples identified by security researchers using trigger date of 7, December 2017 were not packed utilizing UPX.

“Additionally, this sample uses a different set of file names from the earlier identified versions and a different executable file name. The file description imitates the product name “VMware Workstation” in an attempt to utilize a legitimate software product as a lure to victims,” researchers said.

You must Register or Sign in to your Cyware account to perform this action

Shamoon disk-wiping malware returns with a new variant

The detonation date still set in the past

UPX packed

Get such articles in your inbox

News

Popular News

Related News

Categories

Get such articles in your inbox

News

Popular News

Related News

Categories