So, it looks like that the destructive impacts of the cyber attack targeting Aramco, where definitively true. In the same hours in which the first details about the malware were disclosed, Kasperky Lab, McAfee and Symantec have dedicated respectively three blog posts to describe what appears to be the latest example of a large scale cyber attack targeting Middle East (apparently focused on companies belonging to Energy Sector).
Shamoon (or W32/DistTrack), this is the name of the malware, has some points in common (the name of a module) with the infamous Flame, but according to Kaspersky this is the only similarity:
It is more likely that this is a copycat, the work of a script kiddies inspired by the story.
The malware has the same features seen in other “companions” among which the driver signed by a legitimate company “Eidos Corporation”.
According to Symantec, the malware consists of several components:
- Dropper: the main component and source of the original infection. It drops a number of other modules.
- Wiper: this module is responsible for the destructive functionality of the threat.
- Reporter: this module is responsible for reporting infection information back to the attacker.
According to McAfee, machines infected by the malware are made useless as most of the files, the MBR and the partition tables are overwritten with garbage data. The overwritten data is lost and is not recoverable, so this should confirm the destructive details received yesterday.
While, according to Seculert, the malware is a two-stage attack:
Stage 1: The attacker takes control of an internal machine connected directly to the internet, and uses that as a proxy to the external Command & Control server. Through the proxy, the attacker can infect the other internal machines, probably not connected directly to the internet.
Stage 2: Once the intended action on the internal infected machines is complete, the attacker executes the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines (or also the MBR and the partition table as McAfee Suggested). It then reported back to the external Command & Control Server through the proxy.
So far it is not clear who is behind the attack, although Kaspersky Lab suggests that the term Shamoon:
could be a reference to the Shamoon College of Engineering http://www.sce.ac.il/eng/. Or, it could simply be the name of one of the malware authors. Shamoon is the equivalent of Simon in Arabic.
More details are expected in the next hours.