Shamoon v3 is a modular virus, also known as W32.DisTrack, that has recently re-emerged and hit oil, gas, energy, telecom, and government organizations in the Middle East and southern Europe. The Security Operations Center of Obrela Security Industries wants to keep our customers continuously updated of the malware’s course through this and the campaigns to follow as well as to provide threat mitigation and prevention guidance. SOC is equipped to identify this threat with speed and precision.
What is it about?
Although there are few available details of how exactly the attack is delivered, phishing emails or stolen credentials are the most likely source. Following its delivery, the malware quickly takes measures in order to appear legitimate and maintain persistence. It then collects data regarding the target system and determines whether to drop the 32-bit or 64-bit version. It then proceeds to decrypt its contents and installs them into the system. The worm component, previously contained into its contents, uses spreading techniques to infect machines. Meanwhile, a system service, called MaintenaceSrv, will be created in order to later run the wiper component. This component will delete and overwrite files on the infected computer so they cannot be recovered, erase the master boot record of the computer and force a reboot, rendering it unusable, thus completing its purpose.
What is the impact of this attack?
As a result of this attack, machine’s infected files will be unrecoverable and the machines themselves unusable after either a blue screen or driver error.
What our customers should do as part of mitigation and prevention actions
| d9e52663715902e9ec51a7dd2fea5241c9714976e9541c02df66d1a42a3a7d2a | – Executes the Spreader.exe component |
| 35ceb84403efa728950d2cc8acb571c61d3a90decaf8b1f2979eaf13811c146b | – Spreader.exe |
| 5203628a89e0a7d9f27757b347118250f5aa6d0685d156e375b6945c8c05eb8a | – Trojan.Filerase component |
| 0266be9130bdf20976fc5490f9191edaafdae09ebe45e74cd97792412454bf0d | – Trojan.Filerase component |
| bd2097055380b96c62f39e1160d260122551fa50d1eccdc70390958af56ac003 | – W32.Disttrack.B |
| c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f | – W32.Disttrack.B |
| 0975eb436fb4adb9077c8e99ea6d34746807bc83a228b17d321d14dfbbe80b03 | – W32.Disttrack.B |
| 0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe | – W32.Disttrack.B |
| 391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c | – Disttrack Wiper module x86 |
| 6985ef5809d0789eeff623cd2436534b818fd2843f09fa2de2b4a6e2c0e1a879 | – ElDos RawDisk Driver x86 |
| ccb1209122085bed5bded3f923835a65d3cc1071f7e4ad52bc5cf42057dd2150 | – Disttrack Comms module x64 |
| dab3308ab60d0d8acb3611bf364e81b63cfb6b4c1783864ebc515297e2297589 | – Disttrack Wiper module x64 |
| bc4513e1ea20e11d00cfc6ce899836e4f18e4b5f5beee52e0ea9942adb78fc70 | – ElDos RawDisk Driver x64 |
| df177772518a8fcedbbc805ceed8daecc0f42fed | – Original dropper x86 |
| ceb7876c01c75673699c74ff7fac64a5ca0e67a1 | – Wiper |
| 10411f07640edcaa6104f078af09e2543aa0ca07 | – Worm module |
| 43ed9c1309d8bb14bd62b016a5c34a2adbe45943 | – key8854321.pub |
| bf3e0bc893859563811e9a481fde84fe7ecd0684 | – RawDisk driver |
