APT33 Attacks Organizations Using Shamoon and Filerase Wipers

Delaware, USA ā€“ December 20, 2018 ā€“ The investigation of recent attacks on the oil and gas industry in the Middle East revealed that the Iranian group APT33 is behind this operation. The attackers have been preparing for the campaign for at least several months, collecting credentials of companies employees using phishing sites with job offerings. McAfee researchers published the results of the investigation where they described in addition to the two wipers (Shamoon V3 and Filerase), other malware pieces used in the attack. Preparations for the campaign started four months ago when the APT group created a number of phishing websites, some of which contained malicious HTML application files that download and execute a PowerShell script to harvest credentials and domains, and other sites offered users to log in using their corporate credentials. Leveraging the collected data, APT33 penetrate organizations’ network and use a toolset written in .NET. First executable, OCLC.exe, creates a list of systems to infect and starts the next component, Spreader.exe, which infects all the systems in the list with Shamoon V3 and Filerase, and creates a batch file with the path of the executables and then sets up the privileges to run the batch file. For further distribution over the network attackers use SpreaderPSexec.exe. Wipers are executed simultaneously, and each of them performs its function. Filerase overwrites twice every file with random strings and then deletes files. Shamoon V3 creates malicious service, overwrites disk sectors and forces a reboot.

The first destructive attack took place on December 10th, and since then at least two more organizations were attacked in Saudi Arabia and the United Arab Emirates. Both of them are involved in the oil and gas industry. You can detect attacks using Shamoon V3 and Filerase wipers your SIEM and rules from Threat Detection Marketplace.

Shamoon 2 & 3 Disk-Wiping Malware Detector: https://tdm.socprime.com/tdm/info/1409/