Pulse Detail — Threat Intelligence

PULSE NAME

Recent Shamoon Wipers

WHITE Shamoon AlienVault 2018-12-12 Modified: 2018-12-24

IOCs

MEDIUM VOLUME

We came across external reports that the notorious, disk-wiping worm Shamoon, also known as Disttrack, has reemerged with an updated version. We were also able to source several samples of this version of Shamoon that Trend Micro detects as Trojan.Win32.DISTTRACK.AA and Trojan.Win64.DISTTRACK.AA. While there are no obvious indications that this new version is currently in the wild, we are further analyzing the malware to verify its functions and capabilities given its destructive impact.

Indicators of Compromise (40)

All domain FileHash-SHA256 URL hostname FileHash-SHA1

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	44-easypaper.org	—	2018-12-12
domain	book-library.org	—	2018-12-12
domain	browsersversion.com	—	2018-12-12
domain	cloudpackages.net	—	2018-12-12
domain	times-sync.com	—	2018-12-12
FileHash-SHA256	0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe	—	2018-12-12
FileHash-SHA256	bd2097055380b96c62f39e1160d260122551fa50d1eccdc70390958af56ac003	—	2018-12-12
FileHash-SHA256	c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f	—	2018-12-12
URL	http://CloudPackages.net:443/api/info	—	2018-12-12
URL	https://103.236.149.100/api/info	—	2018-12-12
URL	https://BrowsersVersion.com:80	—	2018-12-12
URL	https://BrowsersVersion.com:80/?id=845480	—	2018-12-12
URL	https://times-sync.com/api/info	—	2018-12-12
hostname	104.27.138.44-easypaper.org	—	2018-12-12
FileHash-SHA256	89850b5f6e06db3965d0fdf8681bc6e55d3b572c97351190c247b9c8b1419850	—	2018-12-12
FileHash-SHA256	36c61c5f72821ce529a1ae9be80c15b9764f03592db1aa82b513dc7cf66bf5f3	—	2018-12-13
FileHash-SHA256	5bdc889dcd5aab722c6afbf5fac31a8b794413427bafec04ed14eb4a6abad37b	—	2018-12-13
FileHash-SHA256	7f608f9783809d0165125a685e9b5537b9343f44b6d117b26be76b48b5c8f6d3	—	2018-12-13
FileHash-SHA256	0975eb436fb4adb9077c8e99ea6d34746807bc83a228b17d321d14dfbbe80b03	—	2018-12-13
FileHash-SHA256	391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c	—	2018-12-13
FileHash-SHA256	6985ef5809d0789eeff623cd2436534b818fd2843f09fa2de2b4a6e2c0e1a879	—	2018-12-13
FileHash-SHA256	bc4513e1ea20e11d00cfc6ce899836e4f18e4b5f5beee52e0ea9942adb78fc70	—	2018-12-13
FileHash-SHA256	ccb1209122085bed5bded3f923835a65d3cc1071f7e4ad52bc5cf42057dd2150	—	2018-12-13
FileHash-SHA256	dab3308ab60d0d8acb3611bf364e81b63cfb6b4c1783864ebc515297e2297589	—	2018-12-13
FileHash-SHA256	f0079cbba6b570466c92ad3a74032be4d1418574b960b1fb7fc2ed8ec2ecd5f6	—	2018-12-14
FileHash-SHA1	10411f07640edcaa6104f078af09e2543aa0ca07	—	2018-12-14
FileHash-SHA1	43ed9c1309d8bb14bd62b016a5c34a2adbe45943	—	2018-12-14
FileHash-SHA1	bf3e0bc893859563811e9a481fde84fe7ecd0684	—	2018-12-14
FileHash-SHA1	ceb7876c01c75673699c74117fac64a5ca0e67a1	—	2018-12-14
FileHash-SHA1	df177772518a8fcedbbc805ceed8daecc0f42fed	—	2018-12-14
FileHash-SHA256	0266be9130bdf20976fc5490f9191edaafdae09ebe45e74cd97792412454bf0d	—	2018-12-17
FileHash-SHA256	35ceb84403efa728950d2cc8acb571c61d3a90decaf8b1f2979eaf13811c146b	—	2018-12-17
FileHash-SHA256	5203628a89e0a7d9f27757b347118250f5aa6d0685d156e375b6945c8c05eb8a	—	2018-12-17
FileHash-SHA256	d9e52663715902e9ec51a7dd2fea5241c9714976e9541c02df66d1a42a3a7d2a	—	2018-12-17
FileHash-SHA256	5257f623270b4c5cc471ff35b1bfeec80ab37c7e012da76b50ebd2c4911a43d0	—	2018-12-19
FileHash-SHA256	e5bf756d5530ec38ff649b901b3c7506f8556821d979bdcb392237f2ff40daf8	—	2018-12-19
FileHash-SHA256	2540e4c98bdb5167d63e213e7f9c0d1ec6258bc098484a51edb73bdca627d70b	—	2018-12-21
FileHash-SHA256	4d1b0fed96bbb03da033b55d893fba9f7fc9a998ff9ceb4ea87e34e45a8e0b91	—	2018-12-21
FileHash-SHA256	f2bfe03ebacaa96e2897c8c01339e1ffa8c2222c3d6f89a76827548559b93af9	—	2018-12-24
FileHash-SHA256	a28bd84653efb21d64d4e6791074466ce627a12b4c7bfef5977632920f4724d0	—	2018-12-24

References (8)

↗ https://twitter.com/ThreatHunting/status/1072771496479735809 ↗ https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/new-version-of-disk-wiping-shamoon-disttrack-spotted-what-you-need-to-know ↗ https://www.axios.com/infamous-shamoon-malware-re-emerges-14911c5b-11e0-4bea-8549-1dc8a6f93848.html ↗ https://researchcenter.paloaltonetworks.com/2018/12/shamoon-3-targets-oil-gas-organization/ ↗ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/ ↗ https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail ↗ https://unit42.paloaltonetworks.com/shamoon-3-modified-open-source-wiper-contains-verse-from-the-quran/ ↗ https://www.anomali.com/blog/destructive-shamoon-malware-continues-its-return-with-a-new-anti-american-message