Disk-wiping malware has been around for many years; however, a new variant of an old malware variant has been discovered that is being use to target companies that have implemented a virtual desktop infrastructure (VDI).
Rather than each individual employee using their own computer, each is set up with a virtual desktop on a remote server. This arrangement is popular in data centers as it makes for easier management. One of other benefits of using a VDI system is it protects against disk-wiping malware attacks. VDI systems take a snapshot of each virtual desktop at regular intervals. Should anything happen, it is a relatively simple process to restore the desktops to a working state.
However, the attackers behind the latest campaign have realized that simply wiping data would not be sufficient to ensure data could not be recovered. The latest malware variant uses hardcoded account credentials allowing access to the VDI system to be gained, thus allowing the attackers to target specific VDI deployments and even wipe out the snapshots to prevent the targeted company from being able to recover.
The attackers are using a new form of a malware called Shamoon, which was used in an attack on a company in Saudi Arabia in 2012. Researchers at Palo Alto Networks noticed Shamoon had resurfaced and was used in an attack in November, although a third variant has been identified that was used in a second November attack. The disk-wiping malware had been installed and was programmed to start deleting data on November 29, 2016.
The attack was targeting a specific company running Huawei FusionCloud. The attack involved the use of several usernames and passwords, which are believed to have been stolen from the targeted company in a previous attack. Palo Alto Networks reports that credential theft is likely to have occurred rather than brute force tactics to guess the credentials, as all but one of the passwords matched Windows password complexity requirements. The account credentials used were specific to the targeted company.
The malware had a wiper module and a communications module, which suggests that the attackers had perhaps intended to steal data before wiping. However, the C2 module was not operational, so the primary purpose of the attack was to destroy data and systems. The malware was also capable of spreading within the targeted organization’s network; copying itself onto other systems and the local network.
The attackers behind this campaign appear to have only targeted one company in Saudi Arabia, although further attacks could occur. This method of attack – deleting VDI snapshots with modified disk-wiping malware – could also be further developed and used for extortion, with companies threatened with data deletion if they do not pay a ransom.