On August 15, 2012, a significantly destructive wiper called Shamoon was unleashed by suspected Iranian adversaries on several energy companies in the Middle East. Our CrowdStrike team had analyzed the attack at the time and became very familiar with this threat. This is why when our team came across a new incident that occurred a few weeks ago in the Middle East, we immediately knew that it looked exceptionally familiar. This new variant of Shamoon kept many of its original tactics, down to the commercial raw disk ElDos driver that was used for disk wiping (including the original trial license key for this driver) that had been used in the original attacks. That ElDos trial key was only valid for 30 days and expired by September 2012. In order to continue to use the key, the wiper now has to reset the Windows system clock back to August 2012 to manipulate the license validation process.
The most interesting change in the recent sample was the switch of the image that is used by Shamoon to overwrite file data from 1024 bytes of a burning American flag to the infamous photograph of deceased Alan Kurdi, a 3-year old boy whose body washed up in Turkey in September 2015. (disturbing images intentionally not shown)
While the precise motives in this most recent November incident are currently unclear, the attacks coincide with multiple geopolitical events impacting the Gulf countries, as well as recent industry developments within Saudi Arabia itself. Previous usage of Shamoon against Gulf Cooperation Council (GCC) targets is believed to have been driven by Iranian intelligence requirements stemming, at least in part, from international sanctions activities impacting the country’s economy. The November 2016 incidents came ahead of the 171st meeting of the of the Organization of the Petroleum Exporting Countries (OPEC) conference in Vienna, where consensus was reached on the implementation of first oil production cuts in 8 years.
VirusTotal Results for Shamoon binaries on November 22nd
These malware samples were first submitted to VirusTotal on November 22nd, and CrowdStrike’s Machine Learning engine that has been included in VirusTotal since this summer had no trouble identifying both as malicious with 100% and 82% confidence levels, respectively, even though the Artificial Intelligence model was built prior to the existence of the malware!
For more information about how you can prevent breaches with CrowdStrike Falcon, which provides protection with both Machine Learning and behavioral Indicators-of-Attack (IOAs), request a live demo from our team.