'Enhanced' Shamoon 2 Strikes AgainOn November 29th, 2016, researchers at Palo Alto Networks detected an attack against a second organization based in Saudi Arabia. The campaign delivered a Disttrack sample that was in many respects similar to the November 17, 2016, payload. As we saw in the first Shamoon 2 attack, the malware came with three components – a dropper, a communication module and a wiper. Disttrack also retained its ability to spread through the local network by logging in with legitimate domain account credentials, copying itself to the system, and creating a scheduled task that executes the payload. But not everything was the same. First, researchers found 16 sets of user and administrator account credentials hardcoded into the malware. All but one of those passwords fulfilled Windows' complexity requirements: they contained both uppercase and lowercase letters as well as at least one number and/or one symbol. That's not even the most significant change, however. Researchers at Palo Alto Networks explain:
"A new development with this latest Disttrack payload is that several of the usernames and passwords are found within official documentation as administrator accounts for Huawei’s virtualized desktop infrastructure (VDI) products, such as FusionCloud. This may suggest that the targeted organization used these credentials when deploying Huawei VDI systems. Shamoon actors may have obtained these credentials from a prior attack; however, it is also possible that the actors included these default usernames and passwords as an attempt to guess the login credentials to the VDI infrastructure."So, what's the big deal? VDI solutions take snapshots of a system at a given time in a certain state. Organizations can therefore use these technologies to recover from wiper malware like Disttrack. But if Disttrack comes with default credentials for well-known VDI products, it can log into those solutions, wipe any saved snapshots, and thereby prevent an organization from restoring their systems.