Hackers hit the IT infrastructure of an Italian oil and gas company with a new version of a destructive malware program called Shamoon.
Shamoon, also known as Disttrack, was first used in 2012 in attacks against Saudi Aramco, Saudi Arabia’s national oil and gas company, and then again in 2016 against multiple targets in the same country. It is an aggressive disk-wiping malware with worm-like capabilities.
Researchers from Alphabet’s Chronicle announced this week that they discovered a new version of Shamoon that was uploaded to the VirusTotal online scanning service Dec. 10 from an IP address in Italy.
Even though Chronicle said the new variant didn’t have enough information to identify the intended victim, the upload to VirusTotal coincided with an announcement the same day by Italian oil and gas contractor Saipem that its servers were targeted in a cyberattack.
The company released more details Dec. 12, confirming that the attack used the Shamoon malware and affected servers from its offices in the Middle East, India, Scotland and, to a limited extent, Italy.
Saudi Aramco is one of Saipem’s most important customers, so the attackers behind Shamoon appear to have a continued interest in disrupting Saudi Arabia’s oil and gas operations, either directly or by targeting its contractors.
The Shamoon malware contains a trigger date for launching its destructive activity and even though it’s called a disk wiper, it actually overwrites files with random data. In the latest samples, the trigger time was set to Dec. 7, 2017 at 23:51, a year before the sample was submitted to VirusTotal.
Because of this, it’s not clear if the sample analyzed by the Chronicle researchers is an older one or if the attackers intentionally used a date in the past to trigger the destructive behavior immediately.
The new variant also has other differences compared to the versions observed in 2016 and 2012. For one, the command-and-control component has been removed and the module used to automatically spread to other computers has been neutered.
Older Shamoon variants spread to computers inside compromised networks by using hard-coded SMB credentials collected by the attackers in advance. This new variant doesn’t contain any credentials, which could suggest that attackers planted it on systems manually or through some other method.
ZDNet reports that Saipem’s IT staff is currently analyzing the possibility of compromised RDP (Remote Desktop Protocol) credentials having been used as the attackers’ primary entry point into the network.
Office 365 Users Targeted with Fake Non-Delivery Receipts
Attackers are phishing Microsoft credentials by sending emails that mimic the automated non-delivery receipts generated by Office 365, the SANS Internet Storm Center (ISC) warns.
Microsoft Office 365 is a popular service used by many organizations, so users are probably accustomed to receiving such notifications from time to time when the service can’t deliver an email, ISC Handler Xavier Mertens said.
The rogue emails observed by Martens in his honeypots offer users the option to send the email again by clicking on a button. When they do, they are directed to a fake Microsoft login page with a form that collects their credentials and sends them to the attackers.
“It is based on XMLHttpRequest which allows the browser to make a query to another page without reloading the first one,” Martens said in a report. “Depending on the results of sendx.php, you get a warning message or a redirect to the official Outlook homepage. My guess is that the PHP code tries to validate the credentials against a Microsoft service.”
This is a well-designed phishing attack that has a significant chance of success in corporate environments if users don’t pay attention to the URL of the login page before entering their credentials.