In 2012, a suspected Iranian hacker group called the “Cutting Sword of Justice” used malware known as Shamoon – or Disttrack. In mid-November, Mandiant, a FireEye company, responded to the first Shamoon 2.0 incident against an organization located in the Gulf states. Since then, Mandiant has responded to multiple incidents at other organizations in the region.
Shamoon 2.0 is a reworked and updated version of the malware we saw in the 2012 incident. Analysis shows the malware contains embedded credentials, which suggests the attackers may have previously conducted targeted intrusions to harvest the necessary credentials before launching a subsequent attack.
FireEye HX and FireEye NX both detect Shamoon 2.0, and our Multi-Vector Virtual Execution (MVX) engine is also able to proactively detect this malware.
The following is a summary of what we know about Shamoon 2.0 based on the samples we’ve analyzed:
The following is guidance for detecting the malware, counteracting its activity, and attempting to prevent it from propagating in an environment. Please note that performing any of these actions could have a negative effect and should not be implemented without proper review and study of the impact of the environment.
The following is a set of the Indicators of Compromise for the identified Shamoon variant. We recommend that critical infrastructure organizations and government agencies (especially those in the Gulf Cooperation Council region) check immediately for the presence or execution of these files within their Windows Server and Workstation environments. Additionally, we recommend that all customers continue to regularly review and test disaster recovery plans for critical systems within their environment.
File name: ntssrvr64.exe
Compile Time: 2009/02/15 12:32:19
File name: ntssrvr32.exe
Path: %SYSTEMROOT%\System32 NA NA
File size: 1,349,632
File name: ntssrvr32.bat
Path: %SYSTEMROOT%\System32 NA
File size: 160
File name: gpget.exe
PE compile time: 2009/02/15 12:30:41
File Size: 327,680
File name: drdisk.sys
Compile time: 2011/12/28 16:51:29
File Size: 31,632
File name: key8854321.pub
MD5: b5d2a4d8ba015f3e89ade820c5840639 782
File name: netinit.exe
File Size: 183,808
Display name: "Microsoft Network Realtime Inspection Service"
Service name: "NtsSrv"
Description: "Helps guard against time change attempts
targeting known and newly discovered vulnerabilities in network time