It’s been quite a year for every Internet user. The year had tons of thousands of cyber-attacks, with millions affected.
Adding to it, the year hasn’t passed yet, and one more malware was observed by researchers. The malware is said to the variant of Shamoon malware, which was first observed in 2012.
Shamoon this time is back with malware that uses burning US Dollar image with an Anti-American message written on it. The message says, ‘WE WILL TAKE REVENGE ON THE BLOOD AND TEARS OF OUR CHILDREN’.
The reports are that generation source of this malware is from France, who is using packing tool Enigma version 4 for the distribution. In earlier version of Shamoon, the malware consisted of a setup file for PC Cleaning tool. But, in this version, the internal file name is “Baidu PC Faster” and uses description “Baidu Wifi Hotspot Setup”.
The variant of this version has a sign of expired Baidu certificate which was issued for year 2015-2016. The digital certificate is to fool users for bypassing detection.
How Does Shamoon Work?
Shamoon is used as dropper that consists of three major functionalities. The dropper is basically used for collecting data and executing methods that are used for obfuscation, anti-debugging, or anti-forensic purposes. Just an argument is used to activate dropper on victim’s system.
Once, dropper is enabled, it decodes its three resources and then install them in the %System% folder on victim’s machine. It creates maintenance service file with name MaintenaceSrv, used as a wiper. This name is used because it is easy to be left undetected by any cleaning or optimization tool.
The wiper uses ElRawDisk.sys for accessing victim’s disk and overwrites all data in all folders and disk sectors. This causes a critical state of the infected machine before it finally reboots.
Capabilities Of Shamoon & Its Earlier Versions
Well, any malware is dangerous, if even its doing a bit of what its meant to do, then it is dangerous. Similarly, Shamoon has capability of performing multiple functionalities on victim’s system, out of which some are:
- Overwrite files with unwanted and inappropriate data.
- Overwrite file with some other file.
- Encrypt system files and take control of boot record.
Preventions:
To be on the safe side and to stay secure, there are some user-side preventions that must be implemented. Some of them are:
- It is recommended that users check the extensions list on daily basis that are installed on their web browser. And, if any malicious or inauthentic extension is found, remove it manually or you can use some clean up tool to perform the task automatically.
- Users are recommended to use firewall security so that it restricts and stop attackers from accessing remote desktop.
- Detect and delete suspicious and inauthentic emails and attachments. Make sure the attachment in the mail is an authentic file and good to download or extract. Also, it is not recommended to open any URL attached in emails even if it’s from your contact. If you want to visit the URL, hop in directly from web browser.
- Block attachments with file extensions such as:
Exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
- Create a whitelist of trusted software that you use, so that no unauthorized or third-party software can get its hands-on system information.
So, this was all folks! This was all about Shamoon malware that has made its way back to infect systems. Make sure you follow all the given preventions and useful tips we have mentioned in this article. These tips are to make you and your data more secure and safe.
Stay safe & secure folks!
Also Read : 7 Signs Your PC May Be Malware Infected
Wishing you all a very Happy New Year!