Blog

New Shamoon V3 Malware Targets Oil and Gas Sector in the Middle East and Europe

A new version of destructive wiper malware Shamoon was first identified by security researchers on December 5, 2018.

Anomali Threat Research
December 13, 2018
Table of contents
<p>A new version of destructive wiper malware Shamoon was first identified by security researchers on December 5, 2018. This malware dubbed Shamoon V3, appears to be a new version of the destructive malware, which has historically been associated with advanced persistent threat actors aligned with the interests of the Iranian state. It has targeted at least one European oil and gas company with operations in the Middle East and Asia. Unconfirmed reports also indicate possible entities in the UAE oil and gas industry are affected as well. A defining characteristic of this new Shamoon version is that it shares nearly 80 percent similarity with earlier versions of Shamoon and may use a historic trigger date, so that it can immediately perform destructive actions once infecting a user’s machine. Although not confirmed to be the work of Iranian APT groups, the malware’s codebase, targeted sector, and targeted geography have all been observed in historic attacks which were later attributed to adversaries from the region.</p><p>Anomali Labs researchers have identified what appears to be a sample from a second wave of the Shamoon V3 destructive malware attacks. The newly identified sample contains a detonation date of December 12, 2017 and is UPX packed. Other samples identified by security researchers utilized a detonation date of December 7, 2017 and were not packed utilizing UPX. Researchers believe that the detonation dates from 2017 represent attacker efforts to have malware samples detonate immediately upon infection of a victim system. This may be achieved by altering the detonation date to 1 year in the past. Therefore, it is possible that a sample with a detonation date of December 12, 2017 represents a second wave of Shamoon V3 malware that was utilized on December 12, 2018.</p><p>Additionally, this sample utilizes a different set of file names from earlier identified versions and a different executable file name. The sample was uploaded to VirusTotal on December 13, 2018 from a user in the Netherlands. The file description imitates the product name “VMware Workstation” in an attempt to utilize a legitimate software product as a lure to victims.</p><p><img alt="" src="https://cdn.filestackcontent.com/eED978b8S1WKHr5R2W1Y"/></p><p>Anomali Labs has not correlated this sample to an active cyber-attack at this time, however, analysts believe that it may represent additional targets as part of the Shamoon V3 campaign.</p><p>Additional details regarding Shamoon V3 can be found in the below Anomali Threat Bulletin:<br/> Anomali Threat Bulletin -- <a href="https://ui.threatstream.com/tip/233851" target="_blank">https://ui.threatstream.com/tip/233851</a></p><p><strong>IOCs</strong><br/> fa06a08c36bbd19c80c3831736020823<br/> dfb069d22be70888784a81948328ca1da6a7d38f<br/> 7f608f9783809d0165125a685e9b5537b9343f44b6d117b26be76b48b5c8f6d3<br/> <a href="http://​https://www.virustotal.com/#/file/7f608f9783809d0165125a685e9b5537b9343f44b6d117b26be76b48b5c8f6d3/detection" target="_blank">https://www.virustotal.com/#/file/7f608f9783809d0165125a685e9b5537b9343f44b6d117b26be76b48b5c8f6d3/detection</a></p>
Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

December 13, 2018
-
Anomali Threat Research
,

New Shamoon V3 Malware Targets Oil and Gas Sector in the Middle East and Europe

<p>A new version of destructive wiper malware Shamoon was first identified by security researchers on December 5, 2018. This malware dubbed Shamoon V3, appears to be a new version of the destructive malware, which has historically been associated with advanced persistent threat actors aligned with the interests of the Iranian state. It has targeted at least one European oil and gas company with operations in the Middle East and Asia. Unconfirmed reports also indicate possible entities in the UAE oil and gas industry are affected as well. A defining characteristic of this new Shamoon version is that it shares nearly 80 percent similarity with earlier versions of Shamoon and may use a historic trigger date, so that it can immediately perform destructive actions once infecting a user’s machine. Although not confirmed to be the work of Iranian APT groups, the malware’s codebase, targeted sector, and targeted geography have all been observed in historic attacks which were later attributed to adversaries from the region.</p><p>Anomali Labs researchers have identified what appears to be a sample from a second wave of the Shamoon V3 destructive malware attacks. The newly identified sample contains a detonation date of December 12, 2017 and is UPX packed. Other samples identified by security researchers utilized a detonation date of December 7, 2017 and were not packed utilizing UPX. Researchers believe that the detonation dates from 2017 represent attacker efforts to have malware samples detonate immediately upon infection of a victim system. This may be achieved by altering the detonation date to 1 year in the past. Therefore, it is possible that a sample with a detonation date of December 12, 2017 represents a second wave of Shamoon V3 malware that was utilized on December 12, 2018.</p><p>Additionally, this sample utilizes a different set of file names from earlier identified versions and a different executable file name. The sample was uploaded to VirusTotal on December 13, 2018 from a user in the Netherlands. The file description imitates the product name “VMware Workstation” in an attempt to utilize a legitimate software product as a lure to victims.</p><p><img alt="" src="https://cdn.filestackcontent.com/eED978b8S1WKHr5R2W1Y"/></p><p>Anomali Labs has not correlated this sample to an active cyber-attack at this time, however, analysts believe that it may represent additional targets as part of the Shamoon V3 campaign.</p><p>Additional details regarding Shamoon V3 can be found in the below Anomali Threat Bulletin:<br/> Anomali Threat Bulletin -- <a href="https://ui.threatstream.com/tip/233851" target="_blank">https://ui.threatstream.com/tip/233851</a></p><p><strong>IOCs</strong><br/> fa06a08c36bbd19c80c3831736020823<br/> dfb069d22be70888784a81948328ca1da6a7d38f<br/> 7f608f9783809d0165125a685e9b5537b9343f44b6d117b26be76b48b5c8f6d3<br/> <a href="http://​https://www.virustotal.com/#/file/7f608f9783809d0165125a685e9b5537b9343f44b6d117b26be76b48b5c8f6d3/detection" target="_blank">https://www.virustotal.com/#/file/7f608f9783809d0165125a685e9b5537b9343f44b6d117b26be76b48b5c8f6d3/detection</a></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.