Shamoon
Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. Analysis has linked Shamoon with Kwampirs based on multiple shared artifacts and coding patterns.[1] The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.[2][3][4][5]
Associated Software Descriptions
| Name | Description |
|---|---|
| Disttrack |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
Shamoon creates a new service named "ntssrv" that attempts to appear legitimate; the service's display name is "Microsoft Network Realtime Inspection Service" and its description is "Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols." Newer versions create the "MaintenaceSrv" service, which misspells the word "maintenance."[2][6] |
| Enterprise | T1112 | 修改注册表 |
Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
Shamoon creates a new service named "ntssrv" to execute the payload. Newer versions create the "MaintenaceSrv" and "hdv_725x" services.[2][3] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Shamoon decrypts ciphertext using an XOR cipher and a base64-encoded string.[3] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1486 | 数据加密以实现影响 |
Shamoon has an operational mode for encrypting data instead of overwriting it.[2][3] |
|
| Enterprise | T1485 | 数据销毁 |
Shamoon attempts to overwrite operating system files and disk structures with image files.[4][5][2] In a later variant, randomly generated data was used for data overwrites.[3][6] |
|
| Enterprise | T1078 | .002 | 有效账户: Domain Accounts |
If Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.[5][3] |
| Enterprise | T1012 | 查询注册表 |
Shamoon queries several Registry keys to identify hard disk partitions to overwrite.[2] |
|
| Enterprise | T1570 | 横向工具传输 |
Shamoon attempts to copy itself to remote machines on the network.[2] |
|
| Enterprise | T1027 | 混淆文件或信息 | ||
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
Shamoon attempts to disable UAC remote restrictions by modifying the Registry.[2] |
| Enterprise | T1561 | .002 | 磁盘擦除: Disk Structure Wipe |
Shamoon has been seen overwriting features of disk structure such as the MBR.[4][5][2][3] |
| Enterprise | T1070 | .006 | 移除指标: Timestomp |
Shamoon can change the modified time for files to evade forensic detection.[6] |
| Enterprise | T1082 | 系统信息发现 |
Shamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.[2][3] |
|
| Enterprise | T1529 | 系统关机/重启 |
Shamoon will reboot the infected system once the wiping functionality has been completed.[3][6] |
|
| Enterprise | T1124 | 系统时间发现 |
Shamoon obtains the system time and will only activate if it is greater than a preset date.[2][3] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Shamoon creates a new service named "ntssrv" to execute the payload. Shamoon can also spread via PsExec.[2][7] |
| Enterprise | T1016 | 系统网络配置发现 |
Shamoon obtains the target's IP address and local network segment.[2][6] |
|
| Enterprise | T1134 | .001 | 访问令牌操控: Token Impersonation/Theft |
Shamoon can impersonate tokens using |
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1021 | .002 | 远程服务: SMB/Windows Admin Shares |
Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task/Job to execute the malware.[5] |
| Enterprise | T1018 | 远程系统发现 |
Shamoon scans the C-class subnet of the IPs on the victim's interfaces.[5] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Shamoon copies an executable payload to the target system by using SMB/Windows Admin Shares and then scheduling an unnamed task to execute the malware.[5][2] |
References
- Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
- Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.
- FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
- Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
- Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 19). Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems. Retrieved May 29, 2020.