Although disk-wiping malware has existed for several years, a new version of an older malware variant has now been detected. This malware is reportedly being used to attack companies which have implemented a virtual desktop infrastructure (VDI).
As opposed to every employee using his or her own computer, in a virtual desktop infrastructure each one is set up with a virtual desktop on a remote server. This structure is favoured in many data centres as it is easier to manage. Another asset of using a VDI system is that it provides protection from disk-wiping malware attacks. A VDI system takes a ‘snapshot’ of every virtual desktop within it at periodic intervals. In the event of a crash, it is usually quite an easy process to restore the desktops to their normal working state.
Unfortunately, the attackers who are responsible for the latest campaign have come to the realisation that simply wiping data is not sufficient to guarantee data can not be recovered. The most recent malware variant uses hardcoded account credentials which permit the VDI system to be accessed, therefore allowing attackers to focus on specific VDI deployments and even delete the snapshots to prohibit the targeted company from recovering the data concerned.
The attackers involved have been using a new version of a malware known as Shamoon, which was also used against a Saudi Arabian company in a 2012 attack. Researchers from Palo Alto Networks observed that Shamoon had re-emerged and had been used in a November attack, although a 3rd variant of the malware has now been identified as that which was used in a second attack that month. The malware was installed and programmed to begin wiping data on Tuesday the 29th of November 2016.
The said attack targeted a particular company which was running Huawei FusionCloud. It involved the use of multiple usernames and passwords, that are believed to have been misappropriated from the targeted company during an earlier attack. Palo Alto Networks has reported that credential theft was probably what occurred rather than brute force tactics to suppose the credentials, as only one of the passwords failed to match the Windows password complexity requirements. The account credentials employed were unique to the company targeted in the attack.
The used malware included both a wiper module and a communications module, which would indicate that the attackers may have intended to steal data prior to the wiping. That said, the C2 module was not in fact operational, meaning that the main purpose of the attack was evidently to destroy data and systems. Additionally, the malware had the capability to spread within the organization’s network; duplicating itself onto numerous systems and the local network.
Those responsible for this campaign appear to have targeted a sole company in Saudi Arabia, however further attacks may yet occur. This type of attack, i.e. the deleting of VDI snapshots with modified disk-wiping malware,might be developed further and has the potential to be used for extortion, with ransom demanded on the threat of data deletion.