Update Dec. 14, 2018 10:30 CST: Added new Shamoon 3 IOCs
Shamoon is a type of destructive malware that has been previously associated with attacks against various organizations in the oil and gas industry that we've been tracking since 2012. A new variant of this threat, identified as Shamoon 2, has been used against several compromised organizations and institutions. Throughout 2017, Talos observed an increase in Shamoon 2 activity and responded to ensure our customers remained protected.
On Dec. 10, Talos observed a new Shamoon 3 variant ( c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f) that was uploaded to VirusTotal. While it is unclear where this sample came from, it shares many of the characteristics of the Shamoon 2 variant. Talos once again responded to ensure our customers are protected with all the existing coverage mechanisms. Additionally, Talos will continue to monitor for new developments to ensure our customers remain protected.Propagation
Shamoon 2 has been observed targeting very specific organizations and propagating within a network via network enumeration and the use of stolen credentials. Some of the credentials are organization specific from individuals or shared accounts. Other credentials are the default accounts of products used by the targeted customers.Coverage
Coverage for Shamoon 2 is available through Cisco security products, services, and open source technologies. Note that as this threat evolves, new coverage may be developed and existing coverage adapted or modified. As a result, this post should not be considered authoritative. For the most current information, please refer to your FireSIGHT Management Center or Snort.org.Snort Rules 23893 23903 23905-23933 24127 40906 ClamAV Signatures Win.Dropper.DistTrack-* Win.Trojan.DistTrack.* Win.Malware.DistTrack.* AMP Detection W32.GenericKD:Malwaregen.20c3.1201 W32.Malwaregen.19nb.1201 W32.47BB36CD28-95.SBX.TG W32.Malwaregen.19nb.1201 W32.Generic:Malwaregen.20c3.1201 Win.Malware.DistTrack W32.128FA5815C-95.SBX.TG W32.C7FC1F9C2B-95.SBX.TG W32.EFD2F4C3FE-95.SBX.TG W32.010D4517C8-95.SBX.TG Win.Malware.DistTrack.Talos
Other Mitigation Strategies
Recent Shamoon 2 activity serves as a good reminder that users and organizations need to have a comprehensive disaster recovery plan. No one can say for certain if you will be targeted by destructive malware but we can say with 100% certainty that all drives fail. Without a proper system to backup and restore your data, you risk permanently losing your data. Ensuring your assets are properly backed up and can be quickly restored is critical should a system become compromised by Shamoon, ransomware, or other destructive malware and require a complete restoration.
Advanced Malware Protection ( AMP ) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
Email Security can block malicious emails sent by threat actors as part of their campaign.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.IOCs