New Version of Disk-Wiping Shamoon/Disttrack Spotted: What You Need to Know

We came across external reports that the notorious, disk-wiping worm Shamoon, also known as Disttrack, has reemerged with an updated version. We were also able to source several samples of this version of Shamoon that Trend Micro detects as Trojan.Win32.DISTTRACK.AA and Trojan.Win64.DISTTRACK.AA. While there are no obvious indications that this new version is currently in the wild, we are further analyzing the malware to verify its functions and capabilities given its destructive impact.

Trend Micro’s XGen™ security already protects users and businesses from this disk-wiping worm using proactive techniques like behavioral analysis and high-fidelity machine learning. Here’s what users and organizations need to know about Shamoon’s latest iteration: 

What is Shamoon/Disttrack?

The Shamoon or Disttrack worm is a wiper. It is known to overwrite files stored in the affected system and infects its master boot record (MBR). Its first iteration overwrites documents, pictures, videos, and music files, wipes the MBR, and replaces it with an image of a burning flag. The second version used an infamous image of a refugee.

This new version of Shamoon appears to have the same MBR-overwriting function. Unlike the previous versions that delete/replace files, this new iteration reportedly sports the capability to irreversibly encrypt files. It also seems to be missing components such as predefined credentials used for lateral movement within the network and command-and-control (C&C) communications. Our analysis is currently ongoing and will verify these as soon as updated information is available. 

Is this new version of Shamoon/Disttrack in the wild?

A file containing Shamoon’s latest version was reportedly uploaded to VirusTotal from Italy. We found no indications that this new version of Shamoon is actively being distributed in the wild. 

How does this new version of Shamoon/Disttrack work?

Our initial findings revealed that it resembles an old version of Shamoon but with some modifications. For example, it changed its service and file names from NtertSrv to MaintenaceSrv. This version of Shamoon affects 32- and 64-bit systems running Windows.

It still retains the capability to overwrite the infected system’s disk and could take the following names (dropped and executed in the system folder as %System%\{wiper name}):

  • _tdibth.exe
  • _wialx002.exe
  • acpipmi2z.exe
  • af0038bdax.exe
  • arcx6u0.exe
  • averfix2h826d_noaverir.exe
  • hidirkbdmvs2.exe
  • mdamx_5560.exe
  • mdmgcs_8.exe
  • mdmusrk1g5.exe
  • megasasop.exe
  • netbxndxlg2.exe
  • prncaz90x.exe
  • prngt6_4.exe
  • prnlx00ctl.exe
  • prnsv0_56.exe
  • tsprint_ibv.exe
  • vsmxraid.exe
  • wiacnt7001.exe
We also infer that this version of Shamoon is poorly configured. For example, it has code to check the user credentials to be used for network propagation, but the list of information is not available. It also has code for C&C communication but there's no C&C-related information. Another missing component is the image it uses. It has code to check for the image to be used when overwriting the MBR, but the resource labeled as “GRANT” where the image should be located is missing. It also has partition checks but is configured to not execute. Given these, we can construe that the authors of this version of Shamoon are testing their malware, and we expect that an actual version of the malware will appear in the future.

Here's an overview of its attack chain:

How does Shamoon/Disttrack propagate?

Shamoon spreads by dropping copies of itself in the system’s administrative shares. The Shamoon worm propagates in these shared network/administrative folders: ADMIN$, C$\WINDOWS, D$\WINDOWS, and E$\WINDOWS. 

What makes Shamoon/Disttrack notable?

Shamoon was used in targeted attacks against high-profile organizations and enterprises in the Middle East, particularly those in Saudi Arabia. It’s also worth noting that Shamoon is also being discussed by hackers and members of the Middle Eastern and North African underground. It is also notorious for its sociopolitical statements that accompany the images it replaces the infected system’s MBR with.

Shamoon can render endpoints and servers connected to the targeted organization’s domain unbootable. When it resurfaced in December 2016, Shamoon added a technique that can bypass sandboxes by including a logic bomb in its code. It activates and drops its components at a certain date and time.

External news notes that the new version of Shamoon appears to have the same function. It is configured to activate on December 7, 2017 at 11:51 p.m., probably as a way to execute the malware immediately. 

How do the three versions of Shamoon/Disttrack differ?

Here's an overview of how the three versions of Shamoon differ in terms of behavior:

Behavior Version 1* (2012) Version 2 (2016) Version 3* (2018)
Drops log file containing file path that it will overwrite f1.inf, f2.inf, net{4 char random} netimm173.pnf, usbvideo324.pnf %Windows%\inf\averbh_noav.pnf or %Windows%\inf\mdmnis5tQ1.pnf (contains number of encrypted files only)
MBR wiping Overwrite MBR and partition with 0x30000 bytes (uses damaged image) Overwrite MBR and partition with 0x4e00 bytes (uses image of a refugee)
  • Overwrite MBR first sector (200 Bytes, using random data)
  • Has checking of partition but is configured to not execute
  • Has code to check for image but the resource labeled as “GRANT” is missing
System time trigger SetSystemTime (August 2012) — sets the date to this date CheckSystemTime (starts November 17, 2016 – December 31, 2016) — use as trigger, not force SetSystemTime (August 2012) — sets the date to this date
Installation, Copying of itself, and Autostart

Service name: TrkSvr
   Display name: Distributed Link

Tracking Server   
   Image path: %System%\trksvr.exe

Service name: NtsSvr
   Display name: Microsoft Network
                         Realtime Inspection Service

   Image path: %System%\ntssrvr32.exe
Service name: MaintenaceSvr

Display name: Maintenace Host Service Image
Image path:
  • %System%\MaintenaceSvr32.exe LocalService
  • %System%\MaintenaceSvr64.exe LocalService
Drop path, filename, and propagation are the same %System%\{random file name}.exe (wiper)
%System%\netinit.exe  (version 1 and 2), %System%\{random file name}.exe (version 3) - Network
%System%\Drivers\drdisk.sys, %Windows%\hdv_725x.sys (version 3)

This worm drops copies of itself in the following shared folders:
\\{IP address}\ADMIN$\system32\{random file name}.exe
\\{IP address}\C$\WINDOWS\system32\{random file name}.exe
\\{IP address}\D$\WINDOWS\system32\{random file name}.exe
\\{IP address}\E$\WINDOWS\system32\{random file name}.exe
* Shamoon's first and third versions sets the SetSystemTime setting to August 2012 to allow %Windows%\hdv_725x.sys to run.

What can be done to defend against Shamoon/Disttrack?

Users and especially businesses are recommended to enforce defense in depth in securing their online premises, which includes the following measures:

Updated as of December 12, 2018, 12:42 a.m. PDT to include notable differences in each version of Shamoon.
Updated as of December 12, 2018, 1:42 a.m. PDT to include technical insights on the new version of Shamoon.
Updated as of December 12, 2018 6:05 p.m. PDT to include a visualization of Shamoon's attack chain.
Updated as of December 12, 2018 8:26 p.m. PDT to update the table (System time trigger and note on the first and third versions of Shamoon).

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.