The specialists of the company Cylera Labs found common features in the source code and techniques used by the operators of the malware Shamoon and Kwampirs, indicating that they belong to the same group or work very closely together.
“The facts discovered during the study indicate the mutual evolution of the malicious Shamoon and Kwampirs families in a known period of time. Since Kwampirs is based on the original Shamoon, and the code of Shamoon 2 and 3 is based on Kwampirs, […] This means that the authors of Kwampirs can potentially be the authors of Shamoon or have close ties with them, as we have seen for a certain period of time,” said Pablo Rincón Crespo, a specialist at Cylera Labs.
Shamoon, also known as DistTrack, is a malware for stealing information. The malware is also equipped with a destructive component that allows you to overwrite the master boot record with arbitrary data, which is why the infected machine stops working.
Shamoon is a development of the hacker group Magic Hound (aka Timberworm and COBALT GIPSY), which first became known in 2012. Since then, at least two versions of the malware have been released – Shamoon 2 (2016) and Shamoon 3 (2018). Last year, the US government recognized Shamoon as the work of Iranian hackers attacking the automated control system.
On the other hand, attacks using the Kwampirs backdoor were associated with the Orangeworm group, discovered in 2015 and attacking healthcare organizations in the United States, Europe and Asia.
Cylera Labs discovered the connection between Shamoon and Kwampirs thanks to malware artifacts and previously unnoticed components, one of which is an intermediate version. We are talking about the Shamoon dropper, but without the viper function. At the same time, the same loader code was used as that of Kwampirs.
Moreover, code-level similarities were found between Kwampirs and subsequent versions of Shamoon. This includes functions for obtaining system metadata, extracting the MAC address and keyboard layout information of the victim, as well as using the same Windows InternetOpenW API to process HTTP requests to the C&C server.
As a result, the researchers concluded that Kwampirs is probably based on Shamoon 1, and Shamoon 2 inherited part of its code from Kwampirs. That is, the operators of both malware are different subgroups of one larger grouping, or even the same grouping altogether.