Earlier last week, the disk-wiper malware was spotted back in action, with not just one, but two occurrences. The second sighting observed a different strain of the malware and was uploaded to VirusTotal on December 13, 2018, from a user in the Netherlands.
The new sample of Disstrack shares several similarities and few contrasts from its predecessor. Among the few contrasts is the trigger date, still set in the past to December 12, 2017.
A trigger or detonation date is typically set to activate the malware. In the new sample’s case, it's not clear why the threat actor used dates in the past.
“The Shamoon can retrieve detonation dates from its command and control (C2) server; the samples examined by Anomali Labs did not have the C2 configured,” Ghareeb Saad, Threat Intelligence Manager at Anomali told BleepingComputer
Another explanation for the trigger date to be set in the past is that the adversary wanted Shamoon to become active immediately after reaching the target.
"This may be achieved by altering the detonation date to 1 year in the past. Therefore, it is possible that a sample with a detonation date of December 12, 2017, represents the second wave of Shamoon V3 malware that was utilized on December 12, 2018," Researchers from Anomali Labs said.
The newly uncovered second sample that contained detonation date of December 12, 2017, is UPX (Ultimate Packer for eXecutable) packed. Other samples identified by security researchers using trigger date of 7, December 2017 were not packed utilizing UPX.
“Additionally, this sample uses a different set of file names from the earlier identified versions and a different executable file name. The file description imitates the product name “VMware Workstation” in an attempt to utilize a legitimate software product as a lure to victims,” researchers said.
Publisher