Skip to main content

Data stolen and computers made unusable as 'Shamoon' malware spreads

Several security firms have discovered new malware that appears to be targeting specific companies in the energy industry.

Though Shamoon includes components that reminded security analysts of the Flame malware, the threat does not appear to be widespread.

According to Symantec, Shamoon "is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable."

Seculert said this approach is puzzling. "Why would someone wipe files in a targeted attack and make the machine unusable?" the firm wrote in a blog post.

Seculert said "it's rare to find this type of malware in targeted attacks." The firm suggested Shamoon is a two-stage attack: the attackers take control of an internal machine connected to the Web and use it as a proxy to the external Command-and-Control (C2) server, which infects other internal machines; once the other machines are infected, Shamoon is released, wiping the malware and stolen data.

"It is still unclear who is behind the attack," Seculert said.

Shamoon, which is Arabic for Simon, got its name thanks to the associated file: C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb.

"The 'wiper' reference immediately reminds us of the Iranian computer-wiping incidents from April 2012 that led to the discovery of Flame," according to Kaspersky Lab.

"Our opinion, based on researching several systems attacked by the original Wiper, is that it is not," Kaspersky said in a separate blog post. "The original 'Wiper' was using certain service names ('RAHD...') together with specific filenames for its drivers ('%temp%\~dxxx.tmp') which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware."

Kaspersky speculated that Shamoon is "the work of a script kiddies inspired by the [wiper] story. Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often."

In collecting data about Shamoon in recent days, Kaspersky only identified two instances of Shamoon in the wild, both of which appear to be from Chinese security researchers. "So we can conclude that the malware is not widespread and it was probably only used in very focused targeted attacks," the firm said.