Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.^[1]^[2]^[3]^[4]

ID: S0140

Associated Software: Disttrack

Type: MALWARE

Platforms: Windows

Version: 2.0

Created: 31 May 2017

Last Modified: 24 April 2019

Associated Software Descriptions

Name	Description
Disttrack	^[1]

Techniques Used

Domain	ID	Name	Use
Enterprise	T1088	Bypass User Account Control	Shamoon attempts to disable UAC remote restrictions by modifying the Registry.^[1]
Enterprise	T1043	Commonly Used Port	Shamoon has used TCP port 8080 for C2.^[1]
Enterprise	T1485	Data Destruction	Shamoon attempts to overwrite operating system files and disk structures with image files. In a later variant, randomly generated data was used for data overwrites.^[3]^[4]^[1]^[2]
Enterprise	T1486	Data Encrypted for Impact	Shamoon has an operational mode for encrypting data instead of overwriting it.^[1]^[2]
Enterprise	T1487	Disk Structure Wipe	Shamoon has been seen overwriting features of disk structure such as the MBR.^[3]^[4]^[1]^[2]
Enterprise	T1036	Masquerading	Shamoon creates a new service named "ntssrv" that attempts to appear legitimate; the service's display name is "Microsoft Network Realtime Inspection Service" and its description is "Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols."^[1]
Enterprise	T1112	Modify Registry	Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy` to 1.^[4]^[1]
Enterprise	T1050	New Service	Shamoon creates a new service named "ntssrv" to execute the payload.^[1]
Enterprise	T1027	Obfuscated Files or Information	Shamoon contains base64-encoded strings.^[1]
Enterprise	T1012	Query Registry	Shamoon queries several Registry keys to identify hard disk partitions to overwrite.^[1]
Enterprise	T1105	Remote File Copy	Shamoon can download an executable to run on the victim.^[1]
Enterprise	T1018	Remote System Discovery	Shamoon scans the C-class subnet of the IPs on the victim's interfaces.^[4]
Enterprise	T1053	Scheduled Task	Shamoon copies an executable payload to the target system by using Windows Admin Shares and then scheduling an unnamed task to execute the malware.^[4]^[1]
Enterprise	T1035	Service Execution	Shamoon creates a new service named "ntssrv" to execute the payload.^[1]
Enterprise	T1071	Standard Application Layer Protocol	Shamoon uses HTTP for C2.^[1]
Enterprise	T1082	System Information Discovery	Shamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.^[1]
Enterprise	T1016	System Network Configuration Discovery	Shamoon obtains the target's IP address and local network segment.^[1]
Enterprise	T1124	System Time Discovery	Shamoon obtains the system time and will only activate if it is greater than a preset date.^[1]
Enterprise	T1078	Valid Accounts	If Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.^[4]
Enterprise	T1077	Windows Admin Shares	Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task to execute the malware.^[4]

Groups That Use This Software

ID	Name	References
G0064	APT33	^[5]

Shamoon

Associated Software Descriptions

Enterprise Layer

Techniques Used

Groups That Use This Software

References