Shamoon
Shamoon is malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. The 2.0 version was seen in 2016 targeting Middle Eastern states. [1] [2]
ID: S0140
Aliases: Shamoon, Disttrack
Type: MALWARE
Platforms: Windows
Version: 1.0
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| Enterprise | T1088 | Bypass User Account Control | Shamoon attempts to disable UAC remote restrictions by modifying the Registry.[2] |
| Enterprise | T1043 | Commonly Used Port | Shamoon has used TCP port 8080 for C2.[2] |
| Enterprise | T1083 | File and Directory Discovery | Shamoon attempts to access the ADMIN$, C$\Windows, D$\Windows, and E$\Windows shares on the victim with its current privileges.[1] |
| Enterprise | T1107 | File Deletion | Shamoon attempts to overwrite operating system files with image files.[1][2] |
| Enterprise | T1036 | Masquerading | Shamoon creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.”[2] |
| Enterprise | T1112 | Modify Registry | Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1.[1][2] |
| Enterprise | T1050 | New Service | Shamoon creates a new service named “ntssrv” to execute the payload.[2] |
| Enterprise | T1027 | Obfuscated Files or Information | Shamoon contains base64-encoded strings.[2] |
| Enterprise | T1012 | Query Registry | Shamoon queries several Registry keys to identify hard disk partitions to overwrite.[2] |
| Enterprise | T1105 | Remote File Copy | Shamoon can download an executable to run on the victim.[2] |
| Enterprise | T1018 | Remote System Discovery | Shamoon scans the C-class subnet of the IPs on the victim's interfaces.[1] |
| Enterprise | T1053 | Scheduled Task | Shamoon copies an executable payload to the target system by using Windows Admin Shares and then scheduling an unnamed task to execute the malware.[1][2] |
| Enterprise | T1035 | Service Execution | Shamoon creates a new service named “ntssrv” to execute the payload.[2] |
| Enterprise | T1071 | Standard Application Layer Protocol | Shamoon uses HTTP for C2.[2] |
| Enterprise | T1082 | System Information Discovery | Shamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.[2] |
| Enterprise | T1016 | System Network Configuration Discovery | Shamoon obtains the target's IP address and local network segment.[2] |
| Enterprise | T1124 | System Time Discovery | Shamoon obtains the system time and will only activate if it is greater than a preset date.[2] |
| Enterprise | T1078 | Valid Accounts | If Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.[1] |
| Enterprise | T1077 | Windows Admin Shares | Shamoon accesses network share(s), enables share access to the target device, and copies an executable payload to the target system, and uses a Scheduled Task to execute the malware.[1] |