Very first attacks had been seen back in 2012 to Saudi Aramco. By the end of the 2016 and start of 2017 more than 15 government agencies and organizations have been hit with Shamoon 2. If one of your employees opened malicious spear phishing document and if you are in Saudi Arabia, you should be aware of DistTrack malware within your network as it is highly destructive.Recommandations
The following is guidance for detecting or preventing DistTrack malware within your . Please note that performing any of these actions might have a negative effect on your business and should not be implemented without proper review and study of the impact of the environment
- Monitor for Remote Registry service starts.
- Monitor any events in the SIEM that show dates in between 1 and 20 of August 2012.
- Monitor system time change events back to 2012
- Monitor scheduled jobs and system32 file changes
- Prevent and limit access to SMB shares
- Prevent or throttle client to client communication
- Change credentials of all privileged accounts, make sure that local Administrative passwords are unique
Indicators of Compromise
- Attackers send a spear phishing email to employees at the target organization. The email contains a Microsoft Office document as an attachment.
- Opening the attachment from the email triggers PowerShell and enables command line access to the compromised machine.
- Attackers can now communicate with the compromised machine and remotely execute commands on it.
- The attackers escalate privileges and their access to deploy additional tools and malware to other endpoints.
- Attackers study the network by connecting to additional systems and locating critical servers.
- The attackers deploy the Shamoon (DistTrack) malware.
- A coordinated Shamoon (DistTrack) outbreak begins and computer hard drives across the organization are permanently wiped.
When the worm is executed, it copies itself to the following network shares:
File name: netinit.exe
caclsrv, certutl, clean, ctrl, dfrag, dnslookup, dvdquery, event, extract, findfile, fsutl, gpget, iissrv, ipsecure, msinit, ntx, ntdsutl, ntfrsutil, ntnw, power, rdsadmin, regsys, routeman, rrasrv, sacses, sfmsc, sigver, smbinit, wcscript
DriverThe file is digitally signed by “EldoS Corporation"
File name: drdisk.sys
Any Windows installed machine with credentials stolen.
DETECTION WITH CRYPTOSIM
Description: Detects DistTrack malware
Description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation'
Timeframe: 120 sn
# Remote Registery service changed from disabled
# Requires Windows System Logs
# Requires group policy 'Audit Process Creation'
# Requires Windows Security Logs
Condition: selection1 or selection2 or Selection3
Chief Technology Officer