Shamoon is back, although we are not entirely sure it ever left.
On Monday, Saudi Arabia warned organizations in the kingdom to be on alert for the Shamoon virus, which cripples computers by wiping their disks. The labor ministry said it had been attacked and a chemicals firm reported a network disruption. This has been dubbed Shamoon 2 by some news outlets.
Here is a simple explanation of what is likely to be happening.
The adversary is using a combination of social engineering and email phishing to infect one or a number of computers on an organization’s networks. Either downloading a file or clicking a link downloads an exploit kit.
The computers infected with the exploit kit rapidly perform port sweeps across the subnet to which hosts are connected. Using automated replication, it then attempts to move laterally via remote procedure calls (RPCs). To cover an organization’s entire network, the adversary needs to infect machines on many subnets.
Shamoon 2, like Shamoon that struck Saudi Aramco in 2012, moves extremely fast with the sole objective of destroying systems and bringing businesses to their knees.