Post by, Hila Cohen
The DistTrack malware, also known as “Shamoon,” is back with a vengeance. First observed in 2012 by Seculert, the latest incarnation of DistTrack is even more virulent than its predecessor and more destructive to the systems it touches.
The new version of DistTrack appears to be designed to inflict maximum damage rather than exfiltrating data to remote computers and then destroying the targeted host operating system. DistTrack is highly sophisticated, with a modular architecture that includes redundant command-and-control components, along with adaptive binary versions, depending on the target system, and a well-equipped resource section.
DistTrack is clearly politically motivated—it includes a now infamous image of a drowned child who was fleeing Syria with his parents—and is attacking systems in Saudi Arabia to support its campaign to protest the Syrian refugee crisis.
DistTrack uses advanced API functions to avoid being sandboxed, and hard-coded, pre-acquired administrative credentials to spread quickly among systems. It uses weaponized versions of legitimate files, such as the RawDisk driver, to access partitions and overwrite key files with the drowned child image. In this way, it can cripple systems quickly and irreparably, causing maximum damage and visibility.
TrapX has the tools and expertise needed to identify and isolate DistTrack rapidly and stop an attack, enabling resumption of normal operations with confidence. Using TrapX DeceptionGrid, TrapX Labs has succeeded in fully mapping the methods used by DistTrack to propagate itself and complete its mission.
TrapX presents the sequence of events involved in a DistTrack attack using patented visualization techniques such as the Event Analyzer Timeline, including packet capture (PCAP) content to support packet-level deep analysis. It also includes copies of the binaries employed to create a complete picture of the indicators-of-compromise associated with affected machines.
Click here for the report: TrapX Labs Research Report: DistTrack It’s Back With a Vengenance