Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.
Associated Software Descriptions
|Enterprise||T1548||.002||Abuse Elevation Control Mechanism: Bypass User Account Control|
|Enterprise||T1134||.001||Access Token Manipulation: Token Impersonation/Theft|
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1543||.003||Create or Modify System Process: Windows Service|
|Enterprise||T1486||Data Encrypted for Impact|
|Enterprise||T1140||Deobfuscate/Decode Files or Information|
|Enterprise||T1561||.002||Disk Wipe: Disk Structure Wipe|
|Enterprise||T1070||.006||Indicator Removal on Host: Timestomp|
|Enterprise||T1105||Ingress Tool Transfer|
|Enterprise||T1570||Lateral Tool Transfer|
|Enterprise||T1036||.004||Masquerading: Masquerade Task or Service||
Shamoon creates a new service named "ntssrv" that attempts to appear legitimate; the service's display name is "Microsoft Network Realtime Inspection Service" and its description is "Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols." Newer versions create the "MaintenaceSrv" service, which misspells the word "maintenance."
Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting
|Enterprise||T1027||Obfuscated Files or Information|
|Enterprise||T1021||.002||Remote Services: SMB/Windows Admin Shares|
|Enterprise||T1018||Remote System Discovery|
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task|
|Enterprise||T1082||System Information Discovery|
|Enterprise||T1016||System Network Configuration Discovery|
|Enterprise||T1569||.002||System Services: Service Execution|
|Enterprise||T1124||System Time Discovery|
|Enterprise||T1078||.002||Valid Accounts: Domain Accounts|
- FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
- Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
- Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 19). Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems. Retrieved May 29, 2020.