Update Dec. 14, 2018 10:30 CST: Added new Shamoon 3 IOCs
Shamoon is a type of destructive malware that has been previously associated with attacks against various organizations in the oil and gas industry that we've been tracking since 2012. A new variant of this threat, identified as Shamoon 2, has been used against several compromised organizations and institutions. Throughout 2017, Talos observed an increase in Shamoon 2 activity and responded to ensure our customers remained protected.
On Dec. 10, Talos observed a new Shamoon 3 variant ( c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f) that was uploaded to VirusTotal. While it is unclear where this sample came from, it shares many of the characteristics of the Shamoon 2 variant. Talos once again responded to ensure our customers are protected with all the existing coverage mechanisms. Additionally, Talos will continue to monitor for new developments to ensure our customers remain protected.
PropagationShamoon 2 has been observed targeting very specific organizations and propagating within a network via network enumeration and the use of stolen credentials. Some of the credentials are organization specific from individuals or shared accounts. Other credentials are the default accounts of products used by the targeted customers.
CoverageCoverage for Shamoon 2 is available through Cisco security products, services, and open source technologies. Note that as this threat evolves, new coverage may be developed and existing coverage adapted or modified. As a result, this post should not be considered authoritative. For the most current information, please refer to your FireSIGHT Management Center or Snort.org.
Snort Rules 23893 23903 23905-23933 24127 40906 ClamAV Signatures Win.Dropper.DistTrack-* Win.Trojan.DistTrack.* Win.Malware.DistTrack.* AMP Detection W32.GenericKD:Malwaregen.20c3.1201 W32.Malwaregen.19nb.1201 W32.47BB36CD28-95.SBX.TG W32.Malwaregen.19nb.1201 W32.Generic:Malwaregen.20c3.1201 Win.Malware.DistTrack W32.128FA5815C-95.SBX.TG W32.C7FC1F9C2B-95.SBX.TG W32.EFD2F4C3FE-95.SBX.TG W32.010D4517C8-95.SBX.TG Win.Malware.DistTrack.TalosOther Mitigation Strategies
Recent Shamoon 2 activity serves as a good reminder that users and organizations need to have a comprehensive disaster recovery plan. No one can say for certain if you will be targeted by destructive malware but we can say with 100% certainty that all drives fail. Without a proper system to backup and restore your data, you risk permanently losing your data. Ensuring your assets are properly backed up and can be quickly restored is critical should a system become compromised by Shamoon, ransomware, or other destructive malware and require a complete restoration.
Advanced Malware Protection ( AMP ) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
Email Security can block malicious emails sent by threat actors as part of their campaign.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
IOCsShamoon 2
4919436d87d224f083c77228b48dadfc153ee7ad48dd7d22f0ba0d5090b5cf9b
5475f35363e2f4b70d4367554f1691f3f849fb68570be1a580f33f98e7e4df4a
01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc
c7f937375e8b21dca10ea125e644133de3afc7766a8ca4fc8376470277832d95