Disttrack

Disttrack, also known as Shamoon, is a destructive malware that was first identified in the cyber-attacks on Saudi Aramco and RasGas back in 2012. This malicious software is designed to infiltrate systems and cause significant damage by wiping data. The malware operates by installing a communications and wiper module onto the infected system, a process carried out by a Disttrack dropper. Notably, the resources of this malware have a language set to 'SUBLANG_ARABIC_YEMEN', a feature also found in previous Disttrack samples used in Shamoon 2 attacks. The operational pattern of Disttrack involves accessing ciphertext from a specified offset, subtracting 14 from it, a method consistent with previous Disttrack samples delivered in Shamoon 2 attacks. However, there has been an observed shift in its modus operandi; unlike past Shamoon attacks, the recent iterations of the Disttrack wiper do not overwrite files with an image. This change signifies a potential evolution in the malware's design and function, suggesting an increased sophistication of the threat actors behind it. Several variants of Disttrack have been identified, including x64 and x86 versions of the Disttrack dropper, communications module, and wiper module. These variants demonstrate the malware's adaptability and ability to target different system architectures. Given the destructive capabilities of Distrack and its history of targeting critical infrastructure sectors, it remains a significant cybersecurity concern, necessitating robust security measures and constant vigilance.