Paramount's Vinransomware releases Shamoon Detection Tool



Update : The tool has been updated to detect the latest Jan 2017 variant of the Shamoon2 malware - 01-24-2017 03:09:15 IST



On December 1, 2016, Crowdstrike[2] reported a new targeted attack on some Gulf companies using the Shamoon malware. Shamoon is a malware that infected companies in Middle East and primarily wiped their hard disk. This is a new variant and is dubbed as Shamoon 2.0[1].



Ars reports [3] that, this threat wipes the hard disk when the date on the victim machine matches November 17.



Among the samples that our Threat intelligence lab received, an interesting driver from Eldos is found. This driver enables the threat to perform a raw disk activity on affected machines.



Click here to Download Shamoon2 Updated Detector





We also found that most of the Antivirus products detects this threat. For example, Virus Total reports the detection ratio as 38/56. Both, McAfee and Crowdstrike detects this threat.



We will update this blog once our complete analysis is over.



At present, for immediate benefit of our Middle East users, we are releasing the free Shamoon 2.0 Detection tool.



Click here to Download Shamoon2 Updated Detector





The Indicators of Compromises:



10de241bb7028788a8f278e27a4e335f-Shamoon

b5d2a4d8ba015f3e89ade820c5840639-Shamoon

ac4d91e919a3ef210a59acab0dbb9ab5-Shamoon

5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a-Shamoon.Disttrack

c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a-Shamoon.Wiper

47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34-Shamoon.Dropper

61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842-Shamoon.Communciation

128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd-Shamoon.Wiper

394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b-Shamoon.Dropper





The IOC's for the latest Jan 2017 variant of Shamoon2 malware.

010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb (Shamoon2.Disttrack.Update)

efd2f4c3fe4e9f2c9ac680a9c670cca378cef6b8776f2362ed278317bfb1fca8 (Shamoon2.Communication.Update)

113525c6bea55fa2a2c6cf406184092d743f9d099535923a12cdd9b9192009c4 (Shamoon2.Wiper.Update)

5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a (Shamoon2.vdsk911.sys.Update)



References:

[1] https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html

[2] https://www.crowdstrike.com/blog/shamoon2/

[3] http://arstechnica.com/security/2016/12/shamoon-wiper-malware-returns-with-a-vengeance/