- Shamoon is a destructive malware designed to wipe infected systems by overwriting files with unwanted rubbish data.
- The data-wiping malware targets organizations in the United Arabic Emirates, Saudi Arabia, and Europe.
Shamoon malware, also known as disstrack, is a data-wiping malware which was discovered by researchers on 16 August 2012. The malware was used to attack oil and gas company Saudi Aramco in the Middle East in 2012.
After four years, the destructive malware returned in 2016 targeting the same industry. In both the attacks, the malware wiped files and replaced them with propaganda images such as burning US flag and body of Alan Kurdi.
The latest version of Shamoon malware was spotted in December 2018, attacking Italian oil services firm Saipem.
- Shamoon malware’s capabilities include wiping data from infected systems.
- The destructive malware can destroy the hard disk and make systems unusable.
- It can steal credentials from targeted organizations.
- The data wiper can overwrite files and the master boot record.
- It can also download and execute additional applications to the system, as well as remotely set the date to start wiping systems.
The attack on Saudi Aramco
Shamoon malware was first discovered in 2012 during a cyber attack against Oil and Gan Giant Saudi Aramco, wiping data on almost 30,000 systems.
In the Saudi Aramco attack, the malware wiped files and replaced them with a burning US flag image. In 2012, destructive malware was also used against other Saudi Arabian oil companies.
The 2016 and 2017 attacks
After 2 years, Disstrack returned in 2016 affecting various organizations in the Persian Gulf, including Saudi Arabia’s General Authority of Civil Aviation (GACA). In November 2016, researchers observed the Shamoon malware targeting a single organization in Saudi Arabia.
The second version of the malware, dubbed Shamoon 2, was spotted in 2017 targeting virtualization products.
The attack on Saipem
Shamoon malware returned with version 3 attacking the Italian oil and gas firm Saipem. In the latest attack which took place in December 2018, the malware destroyed files on about ten percent of Saipem's PC fleet. The Italian oil firm confirmed that 300 systems on their network were crippled by the Shamoon attack.
“The cyber attack hit servers based in the Middle East, India, Aberdeen and in a limited way Italy through a variant of Shamoon malware,” Saipem said.
Unlike old Shamoon versions which would overwrite files with an image, this new variant would overwrite the MBR, partitions, and files on the system with randomly generated data.
The malware signed with Baidu certificate
A new sample of the Shamoon malware was recently uploaded on VirusTotal on December 23, 2018, from France. It tried to bypass detection by leveraging a digital certificate from the Chinese technology company Baidu. However, the digital certificate which was issued on March 25, 2015, got expired on March 26, 2016.
Researchers analyzed all the three versions of Shamoon and concluded that the Iranian hacker group APT33 is likely responsible for these attacks.