Destructive Shamoon Malware Continues its Return with a New Anti-American Message | Anomali

Destructive Shamoon Malware Continues its Return with a New Anti-American Message

December 24, 2018 | Anomali Labs

Anomali Labs in its continued hunt for the destructive Shamoon malware, has identified a new Shamoon malware sample that uses an image of a burning US Dollar as part of its destructive attack. Historic versions of the Shamoon destructive wiper have utilized images of a burning American flag and the drowned Syrian refugee and child Alan Kurdi as part of targeted attacks attributed to the Iranian State. The image includes the text "WE WILL TAKE REVENGE ON THE BLOOD AND TEARS OF OUR CHILDREN" which is displayed in tandem with the overwriting of files on a victim's system.

The newest Shamoon sample was uploaded from France on December 23, 2018 and utilizes the commercial packing tool Enigma version 4 as a means of obfuscation. As observed in previous Shamoon samples the internal file name invokes a known PC tool, likely as a lure to allay initial user suspicion. In this case the malicious internal file name is "Baidu PC Faster" and uses the description "Baidu WiFi Hotspot Setup". A closer inspection of the file resources utilized by the sample reveals similarities with Shamoon V2 malware. Specifically, the resource "GRANT" is included which indicates that this sample was like compiled based on the second version of the codebase.

Notably, the sample is signed with an expired Baidu certificate that was issued on March 25, 2015 and expired on March 26, 2016. Like other identified samples the compilation time stamp of the malware sample dates to 2011.

At this time, Anomali Labs has not confirmed that this sample has been used to target victims in the wild. However, historic Shamoon 2 attacks occurred in November 2016 and late January 2017. The possibility for targeted attacks occurring during western holidays exists. This possibility is highlighted by the use of US currency in the political image that accompanies the destructive malware. Anomali Labs can not confirm at this time that this sample has been created by the same actors responsible for the previous Shamoon attacks and is continuing its analysis on the malware. Anomali customers can access further context on the Shamoon malware and Yara signatures for detection via the ThreatStream platform.

Associated Indicators of Compromise:

File Name:

  • gfxprc_X64_pro.exe
  • gfxprc_X64.exe

File hashes:

Shamoon (Packed)

  • d0c3852e376423247ae45c24592880b6
  • 7335b8bdc62f35e2579ba18b91dc6227c586ef75
  • f2bfe03ebacaa96e2897c8c01339e1ffa8c2222c3d6f89a76827548559b93af9

Shamoon (Unpacked)

  • 5711ac3dd15b019f558ec29e68d13ca9
  • b18b92a25078aa5f23a9987fd9038440b58b9566
  • c617120895646f73bc880c0aca18990deda3db9be03f6b3564013e26dedfa3f9

Certificate Hash

  • 4B953F30F1DE4DFEF894B136DAA155CEAFC243A0

Certificate Serial

  • 5faee9e83f32948f3b2040ac6df0145c
Anomali Labs
About the Author

Anomali Labs

Get the latest threat intelligence news in your email.