Dec 11, 2018

Infamous Shamoon malware re-emerges

Investers stand in front of the Saudi Aramco logo in 2016. Photo: Fayez Nureldine / AFP via Getty Images.

Shamoon, the rarely seen but destructive malware that was used to wipe Saudi Aramco's servers in 2012, may be back in play, according to Chronicle, Alphabet's cybersecurity arm.

Why it matters: There are only three known times Shamoon variants have been used in the wild (and one of those instances is in dispute), with the Saudi incident the most famous. If the rare malware is back, it's an ominous sign.

Chronicle discovered a file containing Shamoon uploaded to its VirusTotal database. VirusTotal runs free scans on files using major antivirus scanners. The antivirus companies, in return, get access to valuable samples of malware that get uploaded.

  • The new Shamoon was set to detonate on Dec. 7, 2017, at 11:51 pm, but only uploaded yesterday.
  • Chronicle notes that attackers may have set the attack date to the past — perhaps by changing 2018 to 2017 — in order to start an attack immediately.
  • Another possibility, said Brandon Levene, head of applied intelligence at Chronicle, is that the malware was compiled in the past as part of preparations for a later attack.

The intrigue: "This variant is very strange," noted Levene.

  • All other Shamoon samples traveled through a network using pre-programmed credentials.
  • This sample has no pre-programmed credentials — it's limited to the computer it's first installed on.
  • Levene also said the command and control infrastructure — the internet address list allowing the malware to communicate with the hackers — was also blank.
  • "It's odd that those components aren't there," said Levene. "The attackers may have a different connection to the host network and thought manually installing Shamoon would make more sense."

Other differences include the way the malware goes about deleting files.

  • Shamoon in the past has replaced all files with images that had political significance. The new attacks irreversibly encrypt the files.

The file containing Shamoon was uploaded to VirusTotal from Italy.

  • Chronicle noted in a statement: "While Chronicle cannot directly link the new Shamoon variant to an active attack, the timing of the malware files comes close to news of an attack on an Italian energy corporation with assets in the Middle East."

Shamoon famously wipes the hard drives of networked computers after sending the attacker a list of the filenames that will be deleted. But in this latest variant of Shamoon, the lack of access to command and control servers means that function no longer works.

Go deeper

Coronavirus prompting historic drop in air travel and jet fuel demand

Air travel — and the jet fuel powering it — are plummeting alongside most other parts of our modern economy as vast swaths of the world shut down to fight the coronavirus.

Go deeperArrow12 mins ago - Health

Fed temporarily lifts Wells Fargo's growth restrictions

Photo: Streeter Lecka/Getty Images

The Federal Reserve said Wednesday it will temporarily lift Wells Fargo’s growth restriction put in place following the bank’s customer abuse scandals.

Why it matters: One of the nation's biggest lenders said the Fed's asset cap prevented it from lending more to struggling small businesses as part of the government's aid package. Now Wells Fargo says it will reopen its application process and lend to a broader set of business owners.

Go deeperArrowUpdated 23 mins ago - Economy & Business

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 2 p.m. ET: 1,464,852 — Total deaths: 85,397 — Total recoveries: 315,105Map.
  2. U.S.: Total confirmed cases as of 2 p.m. ET: 402,923 — Total deaths: 13,007 — Total recoveries: 22,717Map.
  3. State latest: New York Gov. Andrew Cuomo issued an executive order for New Yorkers to vote by absentee ballot for June 23 primaries.
  4. Federal government latest: The U.S. has begun to see "glimmers of hope" despite its highest recorded number of deaths in 24 hours, Dr. Anthony Fauci said.
  5. Business updates: Roughly one-third of U.S. apartment renters didn't make April payments — The Fed will lift Wells Fargo's asset cap to help small business lending.
  6. 🎧 Podcast: The battle over billionaire coronavirus saviors
  7. What should I do? Pets, moving and personal healthAnswers about the virus from Axios expertsWhat to know about social distancingQ&A: Minimizing your coronavirus risk.
  8. Other resources: CDC on how to avoid the virus, what to do if you get it.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.