Skip to main content

Shamoon returns with malware in hand to wipe hard drives, nuke virtual machines

Researcher Robert Falcone of the Palo Alto Networks said on Monday that the Shamoon attack campaign has returned again to cause even more headaches than before. The campaign was first conducted in 2012 against an organization in Saudi Arabia while the second didn’t take place until 2016. Both campaigns only sought to completely wipe PCs. However, this new third discovery aims to destroy virtual machines while wiping hard drives in the process.

For a better understanding, one of Huawei’s cloud computing products is FusionCloud Desktop, which places the computing and storage aspects of a PC in the data center. End users, such as employees of a huge corporation, use a lightweight device (aka thin client) to access a server-created cloud-residing PC sporting an installed operating system, programs, storage, and so on. It’s as if everything is installed and stored locally on the employee’s thin client.

Thus, with an authorized device, these end users can access the virtual machines from anywhere there is a secure wired or wireless connection. Even more, corporations have full control over these virtual machines and can instantly replace them with a snapshot if something goes wrong. This virtual PC method can’t be attacked by disk-wiping malware because the platform doesn’t reside on physical hardware.

So how is Shamoon attacking virtual machines? According to the report, the hackers behind the current campaign managed to grab usernames and passwords from official Huawei documentation.

“Virtual Desktop Infrastructure solutions can provide some protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems,” Falcone reports. “The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack.”

The original Shamoon attack in August 2012 targeted a Saudi Arabian energy company. It delivered malware called Disttrack that spreads to other PCs across a local network using stolen administration credentials. The attack damaged more than 30,000 systems, destroying data and making systems utterly useless. The second attack arrived in November 2016 and was set to erase all infected PCs on November 17. That took place at the end of the work week in Saudi Arabia, thus the malware had all weekend to work its magic.

The Palo Alto Networks considers this latest discovery as the second wave of November’s campaign. It’s “similar but different” than what was used in the first wave, armed with a 64-bit variant of the Disttrack payload set to begin eating data on November 29. The executable file includes wiper and communications modules for cleaning off hard drives and connecting with the hacker’s command server.

The researchers found 16 account credentials within the latest Disttrack malware that are a mixture of individual user and administrator accounts. As previously noted, some of the usernames and passwords were found in Huawei’s documents, leading the researchers to believe that the organizations simply used these default credentials instead of creating new ones.

The good news is that FusionCloud systems run a Linux operating system whereas Disttrack only attacks Windows-based systems. However, the problem is that the hacker could log into the virtual desktop infrastructure backend to destroy virtual machine deployment and any stored snapshots. That is certainly bad news for organizations that deploy virtual machines to thin clients used by employees. Without snapshots and the ability to create these virtual machines, organizations are somewhat halted.

“The targeting of VDI solutions with legitimate, stolen or default credential represents an escalation in tactics that administrators should be aware of and take immediate steps to evaluate and address,” Falcone said.

Editors' Recommendations