New variants of Shamoon disk-wiping malware were recently reported to cyber security experts this week from Italy. Shamoon malware was first spotted in the cyber-attack against Saudi Arabia and other oil companies in 2012 in which it erased data of more than 30,000 belonging to the companies.
In 2016 it was spotted in the data breach assault against various organizations in the Persian Gulf including Saudi Arabia’s General Authority of Civil Aviation (GACA).
Shammon malware is designed to wipe off the data from the infected system and make it unusable. The malware leverages Windows Server Message Block (SMB) to spread itself to other systems. The new strains were discovered by cyber security researchers and said that new strains were also scanned and included in their database on December 10 from Italy.
Researches also said they did not find any evidence linking to any specific attack and who created the sample and who uploaded it is yet unknown.
In one of the variants the trigger date and local time was set to December 7, 2017, 23:51 which is nearly one year before the date it was uploaded. It is not clear whether the malware was used to last year or the attackers intentionally may have set the date to past to start an immediate attack by changing the date.
Cyber Security Researchers also noted that the credential list contained in the sample does not contain enough information to link it to any particular target.
The new variants contain a much longer filename list used for selecting a dropped executable name when compared to other variants. Moreover, earlier this week Italian oil service company Saipem also announced a cyber-attack impacting servers located in the Middle East, including Saudi Arabia, the United Arab Emirates, and Kuwait.
The company said in a statement that the cyber attacker used a variant of Shamoon malware and caused the cancellation of data and infrastructures. This greatly affected the risk management and security assessment of the company.
Baan Alsinawi, president and founder of risk management firm TalaTek, said in one of her statements that based on publicly available information about the attack on Saipem, there’s a good possibility the attackers had physical access to the Italian company’s systems. The lack of a network component and a command-and-control center, as described, suggested that the cyber attacker had installed the malware manually and set a time for it to propagate.
The restoration activities, in a gradual and controlled manner, are under way through the back-up infrastructures and, when completed, will re-establish the full operation of the impacted site. This was said in the statement published by the company.