Threats Feed|Cutting Sword of Justice|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date21/02/2017

Disttrack Malware Decimates Saudi Critical Infrastructure

  • Actor Motivations: Sabotage
  • Attack Vectors: Malware,Wiper
  • Attack Complexity: Very High
  • Threat Risk: High Impact/High Probability

Threat Overview

The BlackBerry Cylance threat research team's report offers a comprehensive analysis of the Disttrack malware, also known as Shamoon, renowned for its devastating attacks on system master boot records. The report traces the malware's history, its resurgence, and explores its technical operations, including network management capabilities and modular architecture. It particularly highlights Disttrack's impact on Saudi Arabia's critical infrastructure, demonstrating its potential for significant damage. This abstract succinctly captures the essence of the malware's threat and operational dynamics for a general audience.

Reference and Credit: Blackberry - February 2017

Threat Spotlight: Disttrack Malware

Detected Targets

TypeDescriptionConfidence
CaseAramco
Saudi Aramco, officially the Saudi Arabian Oil Group or simply Aramco, is a state-owned petroleum and natural gas company that is the national oil company of Saudi Arabia. As of 2022, it is the second-largest company in the world by revenue and is headquartered in Dhahran. Aramco has been targeted by Cutting Sword of Justice as the main target.
Verified
CaseGeneral Authority of Civil Aviation (GACA)
The General Authority of Civil Aviation develops air transport according to the latest international norms, promotes the Kingdom's position globally as an influential agency in the international civil aviation industry. General Authority of Civil Aviation (GACA) has been targeted by Cutting Sword of Justice as the main target.
Verified
CaseRasGas
RasGas Company Limited was a liquefied natural gas (LNG) producing company in Qatar. RasGas has been targeted by Cutting Sword of Justice as the main target.
Verified
CaseSaudi Central Bank
The Saudi Central Bank, previously known as the Saudi Arabian Monetary Authority, established in 1952, is the central bank of the Kingdom of Saudi Arabia. After the name change in 2020, the Saudi Central Bank continued to use the same acronym. Saudi Central Bank has been targeted by Cutting Sword of Justice as the main target.
Verified
CaseSaudi Electricity Company
Saudi Electricity Company is the Saudi electric energy company. It enjoys a near monopoly on the generation, transmission and distribution of electric power in Saudi Arabia through 45 power generation plants in the country. Saudi Electricity Company has been targeted by Cutting Sword of Justice as the main target.
Verified
SectorFinancial
Verified
SectorAerospace
Verified
SectorEnergy
Verified
SectorOil and Gas
Verified
RegionQatar
Verified
RegionSaudi Arabia
Verified

Extracted IOCs

  • 010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb
  • 113525c6bea55fa2a2c6cf406184092d743f9d099535923a12cdd9b9192009c4
  • 128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd
  • 394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b
  • 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34
  • 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842
  • 772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5
  • c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a
  • efd2f4c3fe4e9f2c9ac680a9c670cca378cef6b8776f2362ed278317bfb1fca8
download

Tip: 9 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 9 file hash) to this threat have been found.

Overlaps

UnknownShamoon 2.0: Elevated Threat with Advanced Evasion Techniques in the Middle East

Source: Vin Ransomware - February 2017

Detection (five cases): 128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd, 394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b, 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34, 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842, c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a

GreenbugShamoon Malware Strikes Again: Saudi Organizations in the Crosshairs

Source: Vin Ransomware - January 2017

Detection (one case): 010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb

UnknownData Wiping and Network Intrusion: The Second Wave of Shamoon 2 Attacks

Source: Palo Alto Networks - January 2017

Detection (three cases): 010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb, 113525c6bea55fa2a2c6cf406184092d743f9d099535923a12cdd9b9192009c4, efd2f4c3fe4e9f2c9ac680a9c670cca378cef6b8776f2362ed278317bfb1fca8

Cutting Sword of JusticeShamoon 2: The Return of Disttrack's Destructive Force in Saudi Arabia

Source: Palo Alto Networks - November 2016

Detection (six cases): 128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd, 394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b, 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34, 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842, 772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5, c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Cutting Sword of Justice
View Cutting Sword of Justice's Insights