New Variants of Shamoon Disk-Wiping Malware Uploaded to VirusTotal

the latest hacking news

New variants of Shamoon disk-wiping malware were uploaded to VirusTotal this week from Italy.

Shamoon malware was first spotted in the cyber attack against Saudi Arabian and other oil companies in 2012 in which it erased data of more than 30,000 belonging to the companies.

In 2016 it was spotted in the attack against various organisations in the Persian Gulf including Saudi Arabia’s General Authority of Civil Aviation (GACA).

Shammon malware is designed to wipe off the data from the infected system and make it unusable. The malware leverages Windows Server Message Block (SMB) to spread itself to other systems.

The new strains uploaded were discovered by security researchers at Chronicle and said that new strains were uploaded to virus total on December 10 from Italy.

Researches also said they did not find any evidence linking to any specific attack and who created the sample and who uploaded it is yet unknown.

In one of the variants the trigger date and local time was set to December 7, 2017, 23:51 which is nearly one year before the date it was uploaded.

It is not clear whether the malware was used to last year or the attackers intentionally may have set the date to past to start an immediate attack by changing the date.

Researchers also noted that the credential list contained in the sample does not contain enough information to link it to any particular target.

The new variants contain a much longer filename list used for selecting a dropped executable name when compared to other variants.

Moreover, earlier this week Italian oil service company Saipem also announced a cyber attack impacting servers located in the Middle East, including Saudi Arabia, the United Arab Emirates, and Kuwait.

The company said a statement that attacker used a variant of Shamoon malware and caused to the cancellation of data and infrastructures.

“The restoration activities, in a gradual and controlled manner, are under way through the back-up infrastructures and, when completed, will restablish the full operation of the impacted site.” said in the statement published by the company.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin and Twitter.

You may be interested in reading:Marriott Data Breach Exposed Personal Data of 500 million Guests



Please rate this content