How to outfox Shamoon? Put Deception to work!

Acalvio Threat Labs

Shamoon is one of the critical threats that has been able to penetrate traditional defenses successfully not once, twice, but thrice – in 2012, 2016 and 2017.  The main purpose of Shamoon Threat Actor was the destruction of the endpoint computers by wiping the Master Boot Record (MBR), rendering them unusable.  If malware infects the end point, the effect is limited only to the infected end point.  Since Shamoon can spread across the internal network, the scope of it’s destruction is not limited to the infected endpoint, but can affect machines in the same subnet. Shamoon erased data on 75% of Aramco’s corporate PCs[1]. The first section of this blog covers an in-depth technical analysis of the lateral movement technique used by Shamoon. Since Shamoon has been able to penetrate the traditional defenses multiple time, the second section discusses a detection architecture that can be used to detect catastrophic attack like Shamoon.

Lateral Movement by Shamoon

Shamoon runs as a service and attempts to spread to other hosts on the subnet. Once the endpoint is infected by Shamoon, it spawns 3 general functionality threads for SMB network enumeration and spreading, command and control, and running the disk wiper module.

Spreading across the Network is performed via local subnet enumeration (/24 subnet) with multiple credentials (3 sets) and share locations (4 locations). As a part of first step, the malware inherits the IP address of the infected machine.

Figure 1.0 Network IP Address Iteration of Shamoon.

As shown in figure 1.0, it then loops over the 4th IPv4 octet, starting from 0, skipping its own IP and ending with 254, thus making an attempt to spread across every computer in the sub-net.

Figure 2.0 Showing the Operation Mode in Shamoon.

As shown in figure 2.0, Shamoon has a hard-coded operational mode flag, “F” or “S” set at compile time to determine fast or slow mode of operation.  As shown in figure 3.0, in the fast mode, the malware spawns threads for each IP address. In slow mode it will synchronously spans each IP address waiting for each network call to either succeed or timeout before moving to the next IP address.

Figure 3.0 Showing the fast and Slow mode of Shamoon.

For each IP address, the malware attempts a set of credentials to get access to the machine which are shown in Table 1.0.

Table 1.0 Showing the list of Credentials and Passwords used by Shamoon.

For each set of hard-coded credentials, the malware attempts a connection with each hard-coded remote share location listed below:

• • C$\WINDOWS
  • D$\WINDOWS
  • E$\WINDOWS
  • ADMIN$

Figure 4.0 showing the  username and passwords.

As shown in figure 4.0, attempt to connect to the machine using the hard coded username and password is  performed by first checking RemoteRegistry service on the target is running, and then disabling UAC through a registry key

• SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy

After the remote registry check and UAC disable attempt, NetUseAdd is called for the credential set and share location.

Figure 5.0 Code snippet which shows the Registry Disabling attempt of Shamoon

If the NetUseAdd call fails or times out, the malware attempts the next remote share / credential set. If the NetUseAdd call succeeds, the malware continues spreading by calling  Windows API functions to copy itself to \system32 directory.  Once it has copied the file in the machine, it then dynamically invokes the Windows function “NetScheduleJobAdd” and schedules a remote task on the target system to run the dropped file. Thereafter,  as shown in figure 7.0 it deletes the remote job after 95 seconds.

Figure 6.0 code showing the scheduling of Service.

Figure 7.0 code showing the deletion of the service.