Shamoon

Shamoon is malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. The 2.0 version was seen in 2016 targeting Middle Eastern states. [1] [2]

ID: S0140
Aliases: Shamoon, Disttrack
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1088Bypass User Account ControlShamoon attempts to disable UAC remote restrictions by modifying the Registry.[2]
EnterpriseT1043Commonly Used PortShamoon has used TCP port 8080 for C2.[2]
EnterpriseT1083File and Directory DiscoveryShamoon attempts to access the ADMIN$, C$\Windows, D$\Windows, and E$\Windows shares on the victim with its current privileges.[1]
EnterpriseT1107File DeletionShamoon attempts to overwrite operating system files with image files.[1][2]
EnterpriseT1036MasqueradingShamoon creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.”[2]
EnterpriseT1112Modify RegistryOnce Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1.[1][2]
EnterpriseT1050New ServiceShamoon creates a new service named “ntssrv” to execute the payload.[2]
EnterpriseT1027Obfuscated Files or InformationShamoon contains base64-encoded strings.[2]
EnterpriseT1012Query RegistryShamoon queries several Registry keys to identify hard disk partitions to overwrite.[2]
EnterpriseT1105Remote File CopyShamoon can download an executable to run on the victim.[2]
EnterpriseT1018Remote System DiscoveryShamoon scans the C-class subnet of the IPs on the victim's interfaces.[1]
EnterpriseT1053Scheduled TaskShamoon copies an executable payload to the target system by using Windows Admin Shares and then scheduling an unnamed task to execute the malware.[1][2]
EnterpriseT1035Service ExecutionShamoon creates a new service named “ntssrv” to execute the payload.[2]
EnterpriseT1071Standard Application Layer ProtocolShamoon uses HTTP for C2.[2]
EnterpriseT1082System Information DiscoveryShamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.[2]
EnterpriseT1016System Network Configuration DiscoveryShamoon obtains the target's IP address and local network segment.[2]
EnterpriseT1124System Time DiscoveryShamoon obtains the system time and will only activate if it is greater than a preset date.[2]
EnterpriseT1078Valid AccountsIf Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.[1]
EnterpriseT1077Windows Admin SharesShamoon accesses network share(s), enables share access to the target device, and copies an executable payload to the target system, and uses a Scheduled Task to execute the malware.[1]

References