We have recently received notifications and samples from impacted organizations in the Middle East that have hallmarks of the Shamoon campaign from 2012. The main component of these attacks was the usage of a wiper component that, once activated, destroyed the hard disks of infected machines.
The initial infection vector for the recent attacks is unknown. Analyzing the submitted files, we started to recognize similar tactics and procedures that we discovered in 2012.
When the initial executable is run, it creates a copy of itself in the %SystemRoot%\System32 folder using the name trksrv.exe and starts itself as a new service.
After the trksvr service has starts, it drops files, in either a 32- or 64-bit version, depending on the system of the victim. Reverse engineering one of the binaries, we discovered the following random-name examples that could be used for these 32- or 64-bit binaries:
- ntdsutl.exe
- power.exe
- rdsadmin.exe
- regsys.exe
- sigver.exe
- routeman.exe
- ntnw.exe
- netx.exe
- fsutl.exe
- extract.exe
Some of these filenames are the same as those used in the first Shamoon attack; other filenames are new.
This dropped executable is the wiper module and is responsible for overwriting various files on the hard disk and also the master boot record and boot sector.
The wiper module also drops the file drdisk.sys, which is a standard component from a commercial application (Eldos) that allows programs low-level access to hard disk drives. This driver was used in the first Shamoon attack, and again in this new campaign.
The wiper module initiates an enumeration of files on the victim’s disk and writes the results to a file with the extension “.pnf,” the file that the wiper module will use as an input for which files to wipe.
We are continuing our investigation into this campaign, and intend to publish further analyses.
McAfee Labs detects samples with the following names:
- W32/DistTrack
- Artemis detection
- DistTrack!sys
- Trojan-FKIQ![hash]
- Trojan-FKIR![hash]