Disk-wiping malware in Saudi attacks used inside information

Analysis by Microsoft suggests that the Windows malware used to wipe computer disks at energy companies in Saudi Arabia contained local system and network credentials, pointing to inside knowledge by the attackers.

Computers at unnamed oil companies in Saudi Arabia were rendered unusable in November after a variant of the Shamoon malware erased the hard disk master boot record code that starts up the systems.

Shamoon is believed to be of Iranian origin, and first appeared in 2012. According to analysis by Microsoft, the version of the malware in this year's attacks carries several similarities to the Shamoon virus which may have been used in 2014 against Sony Entertainment.

No infection vector has been identified for the malware, but Microsoft said it has been "highly customised for each targeted organisation," suggesting the attackers were very familiar with their victims' IT systems.

Microsoft has dubbed the malware "Depriz" and the attackers "Terbium", as per the company's internal practice of naming threat actors after chemical elements.

"As credentials have been hard-coded in the malware Terbium uses, it is suspected that Terbium has harvested credentials or infiltrated the target organisation previously," Microsoft said.

Thanks to local credentials being hard-coded into the malware, the virus is able to propagate through networks and establish persistence on an organisation's system.

Similar to the 2012 version of Shamoon, Depriz contains legitimate, licensed software as part of its wiper component - the RawDisk device driver from Eidos Corporation, which requires a valid license key to run.

The analysis by Microsoft noted that the license key from Eidos is the same one used in the 2012 attacks, but is only valid for a short period of time that year.

Terbium gets around this problem by changing the Windows system time to the period in 2012 when the key was valid, Microsoft said.

Microsoft said the Depriz infection chain starts with an executable file written to a hard disk. This contains the malware components, encoded as fake bitmap files which start to spread across an organisation's network once the executable file is run.

Apart from the master boot record, Depriz overwrites data in the Windows Registry configuration database, and in system directories, with an image file.

It also attempts to overwrite user data in the desktop, downloads, documents, pictures, videos and music folders, before rebooting the computer in an unusable state with the shutdown command.

Microsoft claims customers using Windows 10 are protected from Depriz attacks thanks to built-in security components, suggesting the malware attacks were against older versions of the operating system. The Shamoon attacks in 2012 were against Windows 7 PCs.

A 2012 analysis of the original Shamoon code by security vendor Kaspersky pointed to the virus being programmed in an amateurish fashion, with multiple mistakes and errors.

The virus could have been even more destructive without the coding errors, Kaspersky said. Despite this, the security vendor said the authors were "skillful amateurs" who had assembled a "practicable piece of self-replicating destructive malware".