The Shamoon malware – the one that has been named the number one suspect in the attacks that targeted Saudi Aramco – appears to be created by politically-driven skilled amateurs. At least, that’s what security researchers from Kaspersky concluded.
After further analyzing the threat, experts noticed
that the destructive functionality of the Trojan offers some clues to the motivation of its creators. Shamoon destroys files by filling them with garbage content.
The garbage content is actually taken from a picture of a burning US flag, most likely taken from Wikipedia.
Another noteworthy finding is that the creators of Shamoon utilized a legitimate kernel-mode application, more precisely they used the signed drivers of RawDisk, a piece of software made by Eldos.
Experts warn driver developers that such methods are becoming more common, malware authors turning to legitimate drivers in order to perform malicious tasks.
However, the cybercriminals made some amateurish mistakes while building the malware, which leads researchers to believe that they’re skilled amateurs at best.