In November 2016, the security community first learned of a series of attacks known as “Shamoon 2.” The campaign has launched three waves as of this writing. In the first wave, bad actors infected an organization in Saudi Arabia with Disttrack. This trojan used a wiper component to overwrite protected parts of a system, including the Master Boot Record (MBR) and partition tables. Doing so prevented the machine from booting properly.
The second wave of Shamoon 2 occurred on 29 November 2016–less than two weeks after the first incident. This iteration also dropped Disttrack as its payload. But unlike the first wave, the malware contained administrator account credentials for Huawei’s virtualized desktop infrastructure (VDI) products. The Shamoon 2 attackers may have implemented the technique to prevent victims from restoring their systems.
Wave 3 of Shamoon 2 took place on 23 January 2017. The event didn’t differ from either the first or second waves in terms of attack vectors, payloads, or actions taken. But it did yield valuable intelligence regarding how the threat actor delivers Disttrack to hostnames they know exist on the targeted network. The attack also illuminated a distribution vector for Disttrack that might link Shamoon 2 with a network reconnaissance campaign.
Malware Delivered! Analyzing Disttrack’s Distribution Server
While they were collecting files from the third wave of Shamoon 2, Unit 42 threat researchers at Palo Alto Networks discovered something new: a ZIP archive containing files that help Disttrack infect other systems in the target network. The threat actor deploys this archive from a single compromised system on the network once they’ve logged in with Remote Desktop Protocol (RDP) using legitimate credentials. Currently, it’s not clear how the attackers initially compromise that system and gain RDP access.
Among other files, the ZIP archive contains files “1.txt” through “400.txt.” These are text files that contain a list of hostnames of systems on the network. These are essential to “ok.bat,” another file contained in the archive.
Unit 42 researchers Robert Falcone and Bryan Lee explain in a blog post:
“The ‘ok.bat’ batch script runs once per hostname mentioned above. This batch script is responsible for deploying Disttrack on each of these systems on the network. The script begins by copying two files to the ‘C:\Windows\temp’ folder on the remote system. The two copied files – named ‘ntertmgr32.exe’ and ‘ntertmgr32.bat’ – are the Disttrack payload and a batch script used to install the Disttrack payload on the local system, respectively. The ‘ok.bat’ script uses the PAExec (‘pa.exe’) application to run the ‘ntertmgr32.bat’ installation script on the remote system. The batch script also attempts to clear event logs via the Windows built-in ‘wevtutil’ utility in an attempt to conceal their activities and disrupt incident response and forensic analysis.”
Once the ‘ntertmgr32.bat’ batch script installs Disttrack on the local system and the malware executes, it begins to overwrite the MBR and partition tables. It also attempts to spread by logging in to the system, copying itself, and executing on other systems in the same subnet.
You can learn more about how Shamoon 2 deploys Disttrack in the video below:
Connected to Magic Hound?
The behavior illustrated above raises an important question: how does Shamoon 2 gain a list of relevant hostnames for “1.txt” through “400.txt”?
Unit 42 has traced the ZIP archive back to 45.76.128[.]71. The IP address, which resides in the range of a cloud hosting service, is located on the same Class C IP range as 45.76.128[.]165. This is the location of a command and control server for Magic Hound.
Since mid-2016, the Magic Hound campaign has been leveraging Microsoft Office documents with malicious macros to infect systems with two payloads: the Pupy remote administration tool (RAT) and an IRC bot called “MagicHound.Leash.” It’s believed Magic Hound is focused solely on conducting espionage against victim organizations in the Middle East.
Given the two campaigns’ focus on entities in Saudi Arabia, use of the same cloud computing service in the same Class C IP range, and abuse of both PowerShell and meterpreter, Falcone and Lee believe the two may be connected. They explain why that’s significant:
“If the Magic Hound attacks are indeed related to the Shamoon attack cycle, we may be able to hypothesize that the Magic Hound attacks were used as a beachhead to perform reconnaissance for the adversaries and gather network information and credentials. This may be further supported by the initial Magic Hound payloads we discovered, Pupy RAT and meterpreter, both of which have these types of capabilities.”
In other words, a link between Magic Hound and Shamoon 2 means the former would likely collect a list of hostnames on the target network. The latter would then incorporate this information into Disttrack’s ZIP archive, which it deploys from a compromised system.
Protecting against Shamoon 2 and Magic Hound
Unit 42 will continue to research any linkages between Shamoon 2 and Magic Hound as well as how Shamoon 2 gains RDP access to a system on a target network. In the meantime, organizations should protect themselves by creating strong network credentials, encrypting them, and storing them in a secure location. They should also train their employees to be on the lookout for phishing scams and other social engineering attacks.