Shamoon

Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.[1][2][3][4]

ID: S0140
Associated Software: Disttrack
Type: MALWARE
Platforms: Windows
Version: 2.0

Associated Software Descriptions

Name Description
Disttrack [1]

Techniques Used

Domain ID Name Use
Enterprise T1088 Bypass User Account Control

Shamoon attempts to disable UAC remote restrictions by modifying the Registry.[1]

Enterprise T1043 Commonly Used Port

Shamoon has used TCP port 8080 for C2.[1]

Enterprise T1485 Data Destruction

Shamoon attempts to overwrite operating system files and disk structures with image files. In a later variant, randomly generated data was used for data overwrites.[3][4][1][2]

Enterprise T1486 Data Encrypted for Impact

Shamoon has an operational mode for encrypting data instead of overwriting it.[1][2]

Enterprise T1487 Disk Structure Wipe

Shamoon has been seen overwriting features of disk structure such as the MBR.[3][4][1][2]

Enterprise T1036 Masquerading

Shamoon creates a new service named "ntssrv" that attempts to appear legitimate; the service's display name is "Microsoft Network Realtime Inspection Service" and its description is "Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols."[1]

Enterprise T1112 Modify Registry

Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1.[4][1]

Enterprise T1050 New Service

Shamoon creates a new service named "ntssrv" to execute the payload.[1]

Enterprise T1027 Obfuscated Files or Information

Shamoon contains base64-encoded strings.[1]

Enterprise T1012 Query Registry

Shamoon queries several Registry keys to identify hard disk partitions to overwrite.[1]

Enterprise T1105 Remote File Copy

Shamoon can download an executable to run on the victim.[1]

Enterprise T1018 Remote System Discovery

Shamoon scans the C-class subnet of the IPs on the victim's interfaces.[4]

Enterprise T1053 Scheduled Task

Shamoon copies an executable payload to the target system by using Windows Admin Shares and then scheduling an unnamed task to execute the malware.[4][1]

Enterprise T1035 Service Execution

Shamoon creates a new service named "ntssrv" to execute the payload.[1]

Enterprise T1071 Standard Application Layer Protocol

Shamoon uses HTTP for C2.[1]

Enterprise T1082 System Information Discovery

Shamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.[1]

Enterprise T1016 System Network Configuration Discovery

Shamoon obtains the target's IP address and local network segment.[1]

Enterprise T1124 System Time Discovery

Shamoon obtains the system time and will only activate if it is greater than a preset date.[1]

Enterprise T1078 Valid Accounts

If Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.[4]

Enterprise T1077 Windows Admin Shares

Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task to execute the malware.[4]

Groups That Use This Software

ID Name References
G0064 APT33 [5]

References