A new version of destructive wiper malware Shamoon was first identified by security researchers on December 5, 2018. This malware dubbed Shamoon V3, appears to be a new version of the destructive malware, which has historically been associated with advanced persistent threat actors aligned with the interests of the Iranian state. It has targeted at least one European oil and gas company with operations in the Middle East and Asia. Unconfirmed reports also indicate possible entities in the UAE oil and gas industry are affected as well. A defining characteristic of this new Shamoon version is that it shares nearly 80 percent similarity with earlier versions of Shamoon and may use a historic trigger date, so that it can immediately perform destructive actions once infecting a user’s machine. Although not confirmed to be the work of Iranian APT groups, the malware’s codebase, targeted sector, and targeted geography have all been observed in historic attacks which were later attributed to adversaries from the region.
Anomali Labs researchers have identified what appears to be a sample from a second wave of the Shamoon V3 destructive malware attacks. The newly identified sample contains a detonation date of December 12, 2017 and is UPX packed. Other samples identified by security researchers utilized a detonation date of December 7, 2017 and were not packed utilizing UPX. Researchers believe that the detonation dates from 2017 represent attacker efforts to have malware samples detonate immediately upon infection of a victim system. This may be achieved by altering the detonation date to 1 year in the past. Therefore, it is possible that a sample with a detonation date of December 12, 2017 represents a second wave of Shamoon V3 malware that was utilized on December 12, 2018.
Additionally, this sample utilizes a different set of file names from earlier identified versions and a different executable file name. The sample was uploaded to VirusTotal on December 13, 2018 from a user in the Netherlands. The file description imitates the product name “VMware Workstation” in an attempt to utilize a legitimate software product as a lure to victims.
Anomali Labs has not correlated this sample to an active cyber-attack at this time, however, analysts believe that it may represent additional targets as part of the Shamoon V3 campaign.
Additional details regarding Shamoon V3 can be found in the below Anomali Threat Bulletin:
Anomali Threat Bulletin -- https://ui.threatstream.com/tip/233851