Shamoon disk wiper evolves to kill VDI snapshots

The data-destroying Shamoon malware now comes with a new payload that lets it attack virtual desktop infrastructure (VDI) snapshots, researchers say.

Security vendor Palo Alto Networks said it had found a sample of the updated Shamoon malware in November last year targeting an unnamed Saudi Arabian organisation.

The attack came shortly after Shamoon was observed being used to wipe systems at another Saudi company on November 17 last year. 

VDI snapshots are one of the primary countermeasures against data wiping attacks, allowing administrators to quickly restore destroyed systems.

As with the prior Shamoon attack, the malware had credentials hard-coded into it.

"The most notable thing about this latest sample is that it contains several usernames and passwords from official Huawei documentation related to their virtual desktop infrastructure solutions, such as FusionCloud," Palo Alto Networks said.

Palo Alto Networks believe the credentials were obtained in a prior attack, but the security vendor said it has no details yet of the earlier incident. The Disttrack payload Shamoon drops had 16 account credentials hardcoded into it, including examples with administrator privileges. 

The security firm does not yet know how Shamoon was delivered to target systems.

Palo Alto believes the hardcoded VDI credentials suggest attackers wanted to maximise the destructive impact of Shamoon. It advised organisations to further bolster safeguards to protect VDI credentials to prevent attacks.

Shamoon appeared roughlyfour years ago, and has been used to make tens of thousands of computers at Middle East energy companies inoperable by wiping their hard drives.

Companies attacked include Saudi-Arabia's Aramco - the world's largest energy producer.

Security vendor Symantec and rival firm Crowdstrike both believe Saudi Arabia's foe Iran is behind the attacks.