Shamoon Malware Steals Data

A new piece of malware known as Shamoon that has the ability to destroy files on infected machines and overwrite the master boot record has researchers scratching their heads, wondering what the tool’s purpose might be and why the attackers behind it would destroy infected PCs. There are some indications that the malware could be related to Wiper, but researchers believe this is a red herring.

The Shamoon malware came to light on Thursday when researchers at Kasperksy Lab said that they had analyzed samples that included some odd and puzzling characteristics. One module in the malware has a string with a name that includes “wiper” as part of it, something that could point to a connection to the Wiper or Skywiper malware discovered earlier this year. Wiper was erasing files from disks, but it doesn’t appear that the two are connected at this point.

“Our opinion, based on researching several systems attacked by the original Wiper, is that it is not. The original “Wiper” was using certain service names (“RAHD…”) together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware,” Kaspersky researchers said.

However, researchers at Seculert who looked at Shamoon found that the malware not only has the ability to destroy data on infected PCs, but it also can overwrite the machine’s MBR, making the PC essentially useless. They discovered that before Shamoon executes its destructive instructions, it collects data from various files on the infected machine and then feeds that data to another infected PC on the same internal network. It’s a confusing routine, but there may be a reason for it.

“The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command-and-Control (C2) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet,” Aviv Raff, Seculert CTO, said in his analysis.

After the attackers got whatever information they wanted off of the Shamoon-infected PCs, they then executed the instructions to delete the data on the hard disk and overwrite the MBR. Shamoon then communicates the results back to the command-and-control server through the internal proxy, Seculert said.

The intent of the attackers behind the Shamoon malware isn’t too clear at this point, but the tool is collecting data from infected machines and sending off to parts unknown. That puts it in the league of the cyber espionage tools that have become the favored weapons of attackers of late.