The malware known as Disttrack is a destructive worm that targets a system’s master boot record (MBR). It has been spreading in waves and targeting critical infrastructure in the Arabian Peninsula.  

In this week’s Threat Spotlight, Cylance’s Threat Guidance team examines the inner workings of this malware to learn how it carries out its destructive goals.

Watch the video to see CylancePROTECT® in action against this threat:

VIDEO: CylancePROTECt vs. Disttrack/ Shamoon Malware

Threat Overview

This threat, also known as Shamoon, has been detected in two waves. It first appeared in 2012, when it targeted Saudi Aramco, a Saudi Arabian national petroleum and natural gas company. It wiped the MBRs on over 35,000 systems in what is still viewed as one of the most destructive commercial attacks ever on a critical infrastructure system. This version was launched after an employee clicked on a malicious link in a spear phishing email. The malware took advantage of the victim’s elevated system credentials, rapidly spreading to over two-thirds of corporate machines before the infection was discovered.

An enhanced version reappeared in November 2016 and became more widespread. Disttrack has since been used in attacks against 15 Saudi government agencies and private companies, including Saudi’s General Authority of Civil Aviation.

Why Is Disttrack So Dangerous?

Unlike ransomware (which at least gives victims a chance to restore their systems, by making a payment using bitcoin), Disttrack wipes the MBR  and is designed to disrupt virtual desktop infrastructure (VDI) in creative and destructive ways. While one benefit of VDI is its ability to restore damaged clients, Disttrack actually comes with default credentials for well-known VDI products, allowing the attackers to delete backups.

How Is It Delivered?

Disttrack uses macro-enabled documents and PowerShell scripts to infect targeted systems.

This threat uses spear phishing emails to tempt a user to open up a Word attachment. This then launches a PowerShell script that allows communication to a C2 server. Once connected, the threat actors acquire network infrastructure details and gains privileged credentials that identify critical internal systems such as data servers.

Next, the destructive malware is executed in a coordinated and precisely targeted attack, wiping MBRs throughout the organization. Drives are made inaccessable, key systems are disabled, and all business activity at the targeted organization comes screeching to a halt.

CylancePROTECT Prevents Disttrack

CylancePROTECT utilizes the power of machine learning and artificial intelligence to stop this threat before it causes any damage. The Script Control feature of CylancePROTECT prevents the execution of PowerShell scripts, thus preventing the command and control of the system by a threat actor.

If for some reason Script Control is disabled or set in Alert Mode, CylancePROTECT will still prevent the execution of the malware executable that causes the destruction of the MBR. This second layer of prevention means that CylancePROTECT customers are fully protected from this threat.

Destructive malware such as Disttrack can bring an organization to its knees, so it is critical to deploy an intelligent and preventative endpoint protection product, to stop attacks before they start.

Convinced that the next generation of endpoint security is right for your organization? Contact a Cylance expert to get started!