Destructive Shamoon Malware Continues its Return with a New Anti-American Message

<p>Anomali Labs in its continued hunt for the destructive Shamoon malware, has identified a new Shamoon malware sample that uses an image of a burning US Dollar as part of its destructive attack. Historic versions of the Shamoon destructive wiper have utilized images of a burning American flag and the drowned Syrian refugee and child Alan Kurdi as part of targeted attacks attributed to the Iranian State. The image includes the text "WE WILL TAKE REVENGE ON THE BLOOD AND TEARS OF OUR CHILDREN" which is displayed in tandem with the overwriting of files on a victim's system.</p><p>The newest Shamoon sample was uploaded from France on December 23, 2018 and utilizes the commercial packing tool Enigma version 4 as a means of obfuscation. As observed in previous Shamoon samples the internal file name invokes a known PC tool, likely as a lure to allay initial user suspicion. In this case the malicious internal file name is "Baidu PC Faster" and uses the description "Baidu WiFi Hotspot Setup". A closer inspection of the file resources utilized by the sample reveals similarities with Shamoon V2 malware. Specifically, the resource "GRANT" is included which indicates that this sample was like compiled based on the second version of the codebase.</p><p><img alt="" src="https://cdn.filestackcontent.com/ApTjLlBBT6qWOC3HCjxx"/></p><p><img alt="" src="https://cdn.filestackcontent.com/MIix5dHrQuamjjiPlfZb"/></p><p>Notably, the sample is signed with an expired Baidu certificate that was issued on March 25, 2015 and expired on March 26, 2016. Like other identified samples the compilation time stamp of the malware sample dates to 2011.</p><p>At this time, Anomali Labs has not confirmed that this sample has been used to target victims in the wild. However, historic Shamoon 2 attacks occurred in November 2016 and late January 2017. The possibility for targeted attacks occurring during western holidays exists. This possibility is highlighted by the use of US currency in the political image that accompanies the destructive malware. Anomali Labs can not confirm at this time that this sample has been created by the same actors responsible for the previous Shamoon attacks and is continuing its analysis on the malware. Anomali customers can access further context on the Shamoon malware and Yara signatures for detection via the ThreatStream platform.</p><h2>Associated Indicators of Compromise:</h2><h3>File Name:</h3><ul><li>gfxprc_X64_pro.exe</li><li>gfxprc_X64.exe</li></ul><h3>File hashes:</h3><p><strong>Shamoon (Packed)</strong></p><ul><li>d0c3852e376423247ae45c24592880b6</li><li>7335b8bdc62f35e2579ba18b91dc6227c586ef75</li><li>f2bfe03ebacaa96e2897c8c01339e1ffa8c2222c3d6f89a76827548559b93af9</li></ul><p><strong>Shamoon (Unpacked)</strong></p><ul><li>5711ac3dd15b019f558ec29e68d13ca9</li><li>b18b92a25078aa5f23a9987fd9038440b58b9566</li><li>c617120895646f73bc880c0aca18990deda3db9be03f6b3564013e26dedfa3f9</li></ul><p><strong>Certificate Hash</strong></p><ul><li>4B953F30F1DE4DFEF894B136DAA155CEAFC243A0</li></ul><p><strong>Certificate Serial</strong></p><ul><li>5faee9e83f32948f3b2040ac6df0145c</li></ul>