US-based Symantec has confirmed that a series of cyber attacks using a deadlier version of Shamoon malware, which wiped out thousands of disks at oil giant Saudi Aramco in 2012, has targeted two oil and gas organisations in Saudi Arabia and the UAE, in addition to the Middle East servers of Italy’s Saipem.

The latest re-emergence of the virus, which was last detected in 2016, involves a new wiper, Trojan.Filerase, which deletes files from infected computers before the Shamoon malware wipes the master boot record.

“[Trojan.Filerase] will delete and overwrite files on the infected computer. Shamoon itself will meanwhile erase the master boot record of the computer, rendering it unusable,” Symantec said in a statement.

“While a computer infected by Shamoon could be unusable, files on the hard disk may be forensically recoverable. However, if the files are first wiped by the Filerase malware, recovery becomes impossible.”

Last week, Saipem said it shut down its servers in Saudi Arabia, the UAE and Kuwait as a result of a targeted cyber attack against them. The cyber attack, which the firm reported on 10 December, originated in Chennai, India.

Saipem subsequently said that the cyber attack affected between 300 and 400 servers and over 100 personal computers.

According to Symantec, one of the new Shamoon victims, an organisation based in Saudi Arabia, had recently also been attacked by another group Symantec calls Elfin (APT33) and had been infected with the Stonedrill malware (Trojan.Stonedrill).

“There were additional attacks against this organisation in 2018 that may have been related to Elfin or could have been the work of yet another group,” Symantec said.

The proximity of the Elfin and the Shamoon attacks against this organisation means it is possible the two incidents are linked.

Unconfirmed reports indicate that the other unnamed organisation subjected to the latest Shamoon attack maintains a regional office in the northern UAE emirate of Sharjah.

“Employees have been reporting to work over the past few days but are practically doing nothing since their workstations have been disabled,” a source tells MEED.

When reached by MEED, the company declined to comment on the reported cyber attack.