Shamoon / DiskTrack Malware IoC for recent Oil & Gas Energy sector attack

A variant of Shamoon malware crippled more than 300 company’s computer of Saipem, the italian Oil & Gas services firm. Yesterday, a new variant of this malware has been upload on Virus Total platform from Italy (md5: b41f586fc9c95c66f0967f1592641a85 ). The sample seems to have not been compiled recently (2011-11-28 14:53:13). The malware variant under analysis presents the Arabic language ID support which is in line with previous Shamoon version. It has the capabilities to overwrite the MBR of the infected system, make impossibile for it to boot.

Relations:

MaintenaceSrv32.exe [dropper – md5: de07c4ac94a50663851e5dabe6e50d1f ]

MaintenaceSrv32.exe seems to be the dropper of further malicious components. They are embedded in RT_BITMAP resources section.

language

MaintenaceSrv32.exe drops kscaptur_ibv32.exe (md5:b41f586fc9c95c66f0967f1592641a85) under System32/ with a random name choosen from a list.

The malicious suite can potentially perform lateral movement through the following shares:

ADMIN$

D$

C$

Indicator of Compromise:

File: %SYSTEMROOT%\Temp\reilopycb

File: %SYSTEMROOT%\inf\mdmnist5tQ1.pnf

File: %SYSTEMROOT%\inf\averbh_noav.pnf

File: %SYSTEMROOT%\Temp\key8854321.pub [RawDisk ddriver key]

Service: MaintenaceSrv

Leave a Reply

Your email address will not be published. Required fields are marked *