A variant of Shamoon malware crippled more than 300 company’s computer of Saipem, the italian Oil & Gas services firm. Yesterday, a new variant of this malware has been upload on Virus Total platform from Italy (md5: b41f586fc9c95c66f0967f1592641a85 ). The sample seems to have not been compiled recently (2011-11-28 14:53:13). The malware variant under analysis presents the Arabic language ID support which is in line with previous Shamoon version. It has the capabilities to overwrite the MBR of the infected system, make impossibile for it to boot.
MaintenaceSrv32.exe [dropper – md5: de07c4ac94a50663851e5dabe6e50d1f ]
MaintenaceSrv32.exe seems to be the dropper of further malicious components. They are embedded in RT_BITMAP resources section.
MaintenaceSrv32.exe drops kscaptur_ibv32.exe (md5:b41f586fc9c95c66f0967f1592641a85) under System32/ with a random name choosen from a list.
The malicious suite can potentially perform lateral movement through the following shares:
Indicator of Compromise:
File: %SYSTEMROOT%\Temp\key8854321.pub [RawDisk ddriver key]