Threat Management, Critical Infrastructure Security, Threat Management, Threat Intelligence, Incident Response, Malware, TDR

Researchers tentatively link Greenbug cyberspy group to Saudi Shamoon attackers

Share

Researchers may have found a tenuous link between a cyberspy organization's credentials-stealing trojan and the Shamoon hacking group that's been targeting Saudi energy companies with Disttrack disk-wiping malware.

According to Symantec, the Greenbug cyberespionage group, known for targeting entities in the Middle East, used the remote access trojan "Ismdoor" to steal credentials from at least one admin computer inside a Saudi organization that was later struck by Disttrack in a wave of attacks on Nov. 17, 2016.

Shamoon's attacks, including one that destroyed 35,000 computers at Saudi oil company Aramco in 2012, require an attacker to use stolen credentials to access the intended victim's systems and implant the Disttrack malware, the company explained in a Monday blog post.

Ismdoor is believed to be exclusively used by Greenbug. The cyberespionage group has been active since at least June 2016 and has targeted organizations across a variety of sectors – including energy – in Saudi Arabia, Iran, Bahrain, Iraq, Qatar, Kuwait and Turkey, the blog post continued.

Symantec believes Greenbug infects its victims via an email that asks recipients to download an RAR file (the format for the WinRAR archiver) that supposedly features a business proposal. In reality, it contains a CHM (Compiled HTML Help) file that includes a Windows alternative data stream, which hides the Ismdoor payload.

Upon execution, Ismdoor opens a backdoor on the infected computer, and leverages Windows PowerShell to set up a command-and-control link used for downloading spy tools that steal credentials and log keystrokes, among other functions.

"The presence of Greenbug within an organization prior to the destructive attack involving W32.Disttrack.B provides only a tentative connection to Shamoon," the Symantec blog post explains. "Greenbug's choice of targets and the fact that Ismdoor and associated tools downloaded by the threat appear to have gone quiet a day prior to the November 17, 2016 Shamoon attack is, however, suspicious. At this time, Symantec tracks these groups separately unless additional corroborating evidence emerges."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related

Novel WolfsBane backdoor leveraged in Chinese attacks against Linux systems

Attacks with Wolfsbane commence with the deployment of the 'cron' dropper delivering the KDE desktop component-spoofing launcher, which deactivates SELinux and alters user configuration files before triggering the privacy malware component that has file operation, data theft, and system manipulation command support, an analysis from ESET revealed.

Related Events

Related Terms

Account HarvestingBackdoorBoot Record InfectorBotnetDarknetData MiningDefacementDenial of ServiceDictionary AttackReconnaissance

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.