Shamoon

Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.[1][2][3][4]

ID: S0140
Associated Software: Disttrack

Type: MALWARE
Platforms: Windows

Version: 2.0

Associated Software Descriptions

NameDescription
Disttrack[1]

Techniques Used

DomainIDNameUse
EnterpriseT1088Bypass User Account ControlShamoon attempts to disable UAC remote restrictions by modifying the Registry.[1]
EnterpriseT1043Commonly Used PortShamoon has used TCP port 8080 for C2.[1]
EnterpriseT1485Data DestructionShamoon attempts to overwrite operating system files and disk structures with image files. In a later variant, randomly generated data was used for data overwrites.[3][4][1][2]
EnterpriseT1486Data Encrypted for ImpactShamoon has an operational mode for encrypting data instead of overwriting it.[1][2]
EnterpriseT1487Disk Structure WipeShamoon has been seen overwriting features of disk structure such as the MBR.[3][4][1][2]
EnterpriseT1036MasqueradingShamoon creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.”[1]
EnterpriseT1112Modify RegistryOnce Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1.[4][1]
EnterpriseT1050New ServiceShamoon creates a new service named “ntssrv” to execute the payload.[1]
EnterpriseT1027Obfuscated Files or InformationShamoon contains base64-encoded strings.[1]
EnterpriseT1012Query RegistryShamoon queries several Registry keys to identify hard disk partitions to overwrite.[1]
EnterpriseT1105Remote File CopyShamoon can download an executable to run on the victim.[1]
EnterpriseT1018Remote System DiscoveryShamoon scans the C-class subnet of the IPs on the victim's interfaces.[4]
EnterpriseT1053Scheduled TaskShamoon copies an executable payload to the target system by using Windows Admin Shares and then scheduling an unnamed task to execute the malware.[4][1]
EnterpriseT1035Service ExecutionShamoon creates a new service named “ntssrv” to execute the payload.[1]
EnterpriseT1071Standard Application Layer ProtocolShamoon uses HTTP for C2.[1]
EnterpriseT1082System Information DiscoveryShamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.[1]
EnterpriseT1016System Network Configuration DiscoveryShamoon obtains the target's IP address and local network segment.[1]
EnterpriseT1124System Time DiscoveryShamoon obtains the system time and will only activate if it is greater than a preset date.[1]
EnterpriseT1078Valid AccountsIf Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.[4]
EnterpriseT1077Windows Admin SharesShamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task to execute the malware.[4]

Groups

Groups that use this software:

APT33

References