Oil and gas companies in Italy and the UAE were attacked by a new variant of the malicious program Shamoon, in which one-tenth of the files on Italian companies’ computers were destroyed. Shamoon is one of the most dangerous malicious programs known. It was originally targeted at the Saudi state-owned oil giant Saudi Aramco, which infects files and hard drive master boot records in certain directories after infection.
Saudi Aramco was attacked twice by Shamoon in 2012 and 2016, and the malicious program was considered to be related to Iran.
The Italian company that was attacked this time was Saudi Aramco contractor Saipem. There are differences between the new variant and the old version. A researcher said, “They could have encoded them [the SMB credentials] afterward [after obtaining them with Mimikatz], that would certainly make sense as to why the [SMB] functionality wasn’t necessary. Additionally, the networking component wasn’t there. There’s no command and control server configured. Older versions had a command and control server configured, and those would report what files were popped or overwritten.”
New variant of Shamoon #Wiper has surfaced, 80 percent equal to v1 and 28 percent equal to v2. Detecion in place by most vendors. One of the hashes: 001d216ee755f0bc96125892e2fb3e3a – historical comparison attached. #DFIR #Malware pic.twitter.com/Feo6wheb08
— Christiaan Beek (@ChristiaanBeek) December 11, 2018