Breaking a two-year silence, the Shamoon data-wiping malware has once again been spotted in the wild, twice. Shamoon, also called W32.Disttrack, is a malware virus that has been used for cyber espionage, particularly in the energy sector, famously it attacked Saudi Aramco oil plants in 2012.
Once Shamoon has been launched on a network, it spreads to the hard disks of other computers on the network. It has a function called “reporter” where it sends information about files on the computer, back to the hackers. The malware also has a function called “wiper”, that, as the name suggests, wipes files on the computer. In its last stage, the virus overwrites the master boot record (MBR), so that the computer cannot reboot.
Shamoon was first spotted in 2012 when it attacked oil company, Saudi Aramco, erasing data on more than 35,000 computers.
Shamoon then resurfaced four years later, this time attacking private organizations in the middle east. The attacks took place between 2016 until January 2017.
Cybersecurity researchers from Chronicle have announced that new strains of the malware were uploaded to VirusTotal on 20 December, originating from Italy. VirusTotal is a website created Hispasec Sistemas, a Spanish security company, and was bought by Google Inc in 2012.
One version of Shamoon Chronicle is investigating has the trigger date set to December 7, 2017, 23:51. Chronicle hasn’t been able to determine whether this version was triggered last year, or it has been set in motion now by using a historical date. They cannot determine the author of the strain, or connect it to any specific attack.
Italian oil provider, Saipem were attacked on Monday, resulting in over 300 of the company’s middle eastern, Scotish and Italian servers being impacted. It is possible that a sample was uploaded by Saipem to determine which strain of the virus was used in the attack.