U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A new Shamoon 3 sample uploaded to VirusTotal from France

A new sample of Shamoon 3 was uploaded on December 23 to the VirusTotal platform from France, it is signed with a Baidu certificate. A new sample of the dreaded Shamoon wiper was uploaded on December 23 to the VirusTotal platform from France. This sample attempt to disguise itself as a system optimization tool developed […]

shamoon 3

A new sample of Shamoon 3 was uploaded on December 23 to the VirusTotal platform from France, it is signed with a Baidu certificate.

A new sample of the dreaded Shamoon wiper was uploaded on December 23 to the VirusTotal platform from France. This sample attempt to disguise itself as a system optimization tool developed by Chinese technology company Baidu.

The new variant is signed with a digital certificate from Baidu that was issued on March 25, 2015 and that expired on March 26, 2016.

AThis sample was packed using the commercial packing tool Enigma version 4.

Researchers from Anomali Labs have analyzed the latest variant of the wiper and discovered that it uses an image of a burning US Dollar as part of its destructive attack and includes the text “WE WILL TAKE REVENGE ON THE BLOOD AND TEARS OF OUR CHILDREN.”

shamoon 3

In the attempt to deceive the victims, attackers used the internal file name “Baidu PC Faster” and the “Baidu WiFi Hotspot Setup” in the description of the file.

“The newest Shamoon sample was uploaded from France on December 23, 2018 and utilizes the commercial packing tool Enigma version 4 as a means of obfuscation. As observed in previous Shamoon samples the internal file name invokes a known PC tool, likely as a lure to allay initial user suspicion.” reads the analysis published by Anomali Labs.

“In this case the malicious internal file name is “Baidu PC Faster” and uses the description “Baidu WiFi Hotspot Setup”. A closer inspection of the file resources utilized by the sample reveals similarities with Shamoon V2 malware. Specifically, the resource “GRANT” is included which indicates that this sample was like compiled based on the second version of the codebase.”

Experts speculate the Shamoon 3 sample was “compiled based on the second version of the codebase,” it has many similarities with Shamoon 2.

shamoon 3

Experts at Anomali Labs has not confirmed that the latest sample has been used in attacks in the wild, they pointed out that threat actors could be active during western holidays exists as happened in 2016 with Shamoon 2.

Anomali Labs experts believe the Shamoon 3 sample was not necessarily created by the original threat actor, instead, it may be a Shamoon 2 variant modified by a threat actor.

According to the malware researchers at McAfee that analyzed the three Shamoon samples recently discovered, the latest variants may be attributed to the Iranian hacker group tracked as APT33.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Shamoon 3, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]