A new sample of Shamoon 3 was uploaded on December 23 to the VirusTotal platform from France, it is signed with a Baidu certificate.
A new sample of the dreaded Shamoon wiper was uploaded on December 23 to the VirusTotal platform from France. This sample attempt to disguise itself as a system optimization tool developed by Chinese technology company Baidu.
The new variant is signed with a digital certificate from Baidu that was issued on March 25,
AThis sample was packed using the commercial packing tool Enigma version 4.
In the attempt to deceive the victims, attackers used the internal file name “Baidu PC Faster” and the “Baidu WiFi Hotspot Setup” in the description of the file.
“The newest Shamoon sample was uploaded from France on December 23, 2018 and utilizes the commercial packing tool Enigma version 4 as a means of obfuscation. As observed in previous Shamoon samples the internal file name invokes a known PC tool, likely as a lure to allay initial user suspicion.” reads the analysis published by Anomali Labs.
Experts speculate the Shamoon 3 sample was “compiled based on the second version of the codebase,” it has many similarities with Shamoon 2.
(SecurityAffairs – Shamoon 3, hacking)