Shamoon saga continues as Symantec confirms probe
Symantec investigating Greenbug cyberespionage group that has possible links to Shamoon
Symantec says it’s currently investigating reports of yet another new attack in the Middle East involving the destructive disk-wiping malware used by the Shamoon group.
ITP.net reported earlier that Saudi government and petrochemicals organisations have come under cyber attacks by malware suspected to be Shamoon.
Similar to previous attacks, the Disttrack malware used by Shamoon is just the destructive payload. It required other means to be deployed on targeted organisations’ networks and is configured with previously stolen credentials.
Symantec discovered the Greenbug cyberespionage group during its investigation into previous attacks involving W32.Disttrack.B (aka Shamoon). Shamoon (W32.Disttrack) first made headlines in 2012 when it was used in attacks against energy companies in Saudi Arabia. It recently resurfaced in November 2016 (W32.Disttrack.B), again attacking targets in Saudi Arabia. While these attacks were covered extensively in the media, how the attackers stole these credentials and introduced W32.Disttrack on targeted organisations’ networks remains a mystery.
Could Greenbug be responsible for getting Shamoon those stolen credentials?
Greenbug was discovered targeting a range of organisations in the Middle East including companies in the aviation, energy, government, investment, and education sectors. The group uses a custom information-stealing remote access Trojan (RAT) known as Trojan.Ismdoor as well as a selection of hacking tools to steal sensitive credentials from compromised organizations.
Although there is no definitive link between Greenbug and Shamoon, the group compromised at least one administrator computer within a Shamoon-targeted organisation’s network prior to W32.Disttrack.B being deployed on November 17, 2016.
Active since at least June 2016, Greenbug most likely uses email to compromise targeted organizations. Symantec believes the group has exclusive access to the malware Trojan.Ismdoor. The group uses additional tools to compromise other computers on the network and steal user names and passwords from operating systems, email accounts, and web browsers.
Between June and November 2016, Trojan.Ismdoor was used against a number of targets in a wide range of sectors across the Middle East. As part of the operation, legitimate infrastructure belonging to an organisation in the energy sector was used to host the Ismdoor payload. Attacks impacted organizations involved in aviation, government, investment, and education. Additional regions affected include Saudi Arabia, Iran, Bahrain, Iraq, Qatar, Kuwait, and Turkey. A Saudi organization in Australia was also targeted.
It is believed that the attacks start with an email that asks the recipient to download a RAR archive containing what is purported to be information about a business proposal. These lure documents were hosted on a legitimate website, which may have been previously compromised by Greenbug. The Ismdoor malware is hidden inside the RAR archive using an alternate data stream.