Researchers on Monday reported progress in piecing together some of the missing pieces of the Shamoon 2 puzzle that have been eluding them when it comes to lateral network movement and execution of the Disttrack malware component used in past campaigns.
Shamoon 2 uses a combination of legitimate tools, such as the open source utility PAExec, and batch scripts to evade detection and spread itself throughout a network, researchers at Palo Alto said, adding there are new links between Shamoon 2 and the Magic Hound campaign.
Shamoon has been blamed for nearly a decade of destructive campaigns against organizations based in Saudi Arabia. Disttrack is the Shamoon malware component and is known for its hallmark destructive behavior, where it spreads through the company’s network and overwrites the Master Boot Record on every computer it finds.
“What’s new here is the actual distribution and spreading mechanism of the Disttrack malware. Nobody has figured out how the adversaries are doing this. What we found, they are using a rudimentary but effective technique for spreading Disttrack and wiping systems,” said Bryan Lee, threat intelligence analyst.
Researchers observed in the latest Shamoon 2 campaigns, that the group behind the attacks leveraged not only user credentials of those it was targeting, but also the local host names and IP address of associated servers and endpoints within a targeted network.
“We have found evidence that the actors use a combination of legitimate tools and batch scripts to deploy the Disttrack payload to hostnames known to the attackers to exist in the targeted network,” wrote Robert Falcone, threat intelligence analyst and Lee, who co-authored a research blog on the findings.
Researchers said they found a Zip archive in January that contains files which the attacker used to infect other systems on the targeted network. “The actor deploys the Zip archive to this distribution server by logging in to the compromised system using Remote Desktop Protocol (RDP) with stolen, legitimate credentials and downloading the Zip from a remote server,” researchers note.
From a single compromised system, attackers are able to distribute Disttrack to other systems on a local network via a list of 256 other system host names and IP addresses that were previously acquired.
“While we do not know exactly how the threat actor initially compromised and gained RDP access to the Disttrack distribution server, we believe the actor downloads a Zip archive contained a number of files to this system,” Lee said.
The set of files saved to the distribution server are executables, batch scripts and text files, including; “exec-template.txt,” “ok.bat” and “pa.exe” to name a few. Interestingly, researchers note, the text files were sequentially numbered between 1 to 400 and contained DNS values for hostnames of systems already on the targeted network. Palo Alto believes the computer and host names were obtained from prior network probing and sourced from the Active Directory on the domain controller of the infected network.