W32.Disttrack, better known as SHAMOON, is a unique type of malware with a modular and destructive temperament. Originally intended for cyber warfare purposes, it targets the latest 32-bit kernel of the Microsoft Windows NT operating system. One of its most popular use cases involved a group of social activists whom attacked two (2) of the largest Middle Eastern oil conglomerates: Aramco, a state-owned enterprise in the Kingdom of Saudi Arabia; and RasGas, the now-defunct natural gas organization owned by the government of Qatar.
In August 2012, the Shamoon virus was discovered by three (3) of the world’s most renowned IT security vendors: Seculert, Kaspersky Lab and Symantec. It didn’t take long to predict the economic devastation it would have on Aramco’s assets and recovery efforts. The Shamoon virus reportedly erased the hard drives of 30,000 of their workstations. Though they did their best to control the narrative surrounding this situation, many security experts began forming their own conclusions. Most of them believe that Aramco was merely “saving face” by downplaying the level of damage they incurred from the Shamoon infection.
Updated Versions of the Shamoon Virus
In November 2016 and January 2017, IBM’s X-Force Cybersecurity and Incident Response and Intelligence Services (IRIS) teams detected that Shamoon-related attacks were carried out against organizations in the Persian Gulf. Trojan.Win32.DISTTRACK.AA and Trojan.Win64.DISTTRACK.AA are just a couple of samples of Shamoon’s updated version. Whereas the first incarnation of Shamoon would overwrite documents and files (including photos and videos) and replace them with images of burning American flags, its later iterations would build on its political undertones by using images in protest of the Syrian refugee crisis.
According to an investigative report, the latest version of Shamoon was uploaded from the country of Italy in December 2018. This version was said to target both 32-bit and 64-bit Windows operating systems. It had the same capability of overwriting master boot records (MBRs) like previous versions, but also displayed credentials for lateral movement within networks and Command and Control (C&C) environments. Nonetheless, there is no credible evidence that this version of the Shamoon virus is actively in the wild.
How it Works
Like most viruses and worms, the Shamoon virus invades a computer network through a variety of phishing emails and other messaging schemes. It should be noted that this is how the cyber attack against Aramco was triggered. Other points of entry are accessed by exploiting a system’s vulnerabilities. Once a computer is infected with the virus, it is propagated to other machines that are connected to the same network. This technique is known as Dropper.
In a nod to its stealthiness, the Shamoon virus is capable of copying specific files to and from specific locations. It can also transmit files to the domain of a cyber attacker or replace and delete them at will. Similar to ransomware, it can overwrite the master boot record of the targeted system and render an infected computer useless. This technique, known as the “Reporter,” typically offers no reprieve—not even in the event of monetary exchange.