Rise of Shamoon Wiper Malware variant

Shamoon is still alive. And this time Shamoon has come back to target computer systems in the same region.

You don’t need more evidence that malware attacks have become a reality.

The malware attacks of today are aggressive.

And they are out to wipe your disk clean.

The specific malware that we want to concentrate here is Shamoon or W32.Disttrack.

Hackers used this malware to attack Saudi Arabia’s energy sector back in the year 2012.

The surprising part is that it has made a comeback.

Hackers have used the same malware to carry out a fresh wave of cyber attacks.

This time, the targets are again based in Saudi Arabia.

Hackers have used a different variant of the malware this time around.

But, generally speaking, the variant uses the same code to destroy its targets.

It isn’t all that revolutionary than what hackers came up with four years back.

In the 2012 cyber attacks, hacker wiped out the master boot records of infected machines.

Then they replaced those with an image.

This image showed the US flag.

A burning US flag.

Hackers carried out similar attacks in which they used software hacks to clean data from hard drives.

Researchers witnessed these type of attacks in 2014 as well.

In 2014, most of these attacks targeted Sony and Las Vegas Sands.

The online new publication Bloomberg News reported that hackers damaged thousands of computer at the General Authority of Civil Aviation headquarters.

The authority is set to commence from November of this year.

Researchers have told the media that hackers used a malware that erased critical data hard drives.

And brought the operations of the targeted facilities to a complete halt.

And that too for multiple days.

The other thing to note here is that the Saudi airport did not report any disturbance in its operations.

In other others, hackers failed to affect the operations at the Saudi airport.

Shamoon Wants the Middle East One More Time. For Now.

Shamoon and all other Shamoon variants are out there to do one thing: wipe out hard drives

Saudi Press Agency (a state-backed agency) cited a government statement and reported that the country’s national cyber security officials had managed to detect what, the officials of the department, referred to as a systemic cyber attack on critical government authorities and agencies.

Hackers affected government agencies such as the transportation sector and many more.

Hackers also made sure to aim their attacks in a such a way that they would halt government operations.

They also managed to steal data.

Moreover, hackers also planted viruses.

This is what the Saudi Press Agency reported a while ago.

According to a report published in Saudi Press agency, officials working for the government had alerted and warned the government about such attacks well in advance.

In fact, they did so about a month ago.

They had also sent potentially at risk entities tips on how to defend their machines.

This slightly suggests that government official did not take those messages too seriously.

The statement from the government said that the cyber attacks had indeed come from outside the country i.e Saudi Arabia.

Hackers staged the attack from someplace other than Saudi Arabia.

But the government did not specify the hackers’ targets.

They also did not reveal any information on when hackers managed to breach their systems.

Bloomberg’s Take

A Bloomberg report cited some anonymous sources and said that these hackers belonged to a state-backed hacker group.

The report also said that these hackers had carried out the attack which resulted in multiple breaches.

Moreover, the Bloomberg report also suggested that this hacker group and their attacks might have emanated from Saudi Arabia’s neighboring country Iran.

Everybody knows that Saudi Arabia and Iran have fought a long cyber war.

Each nation hits the other with cyber attacks that are meant to harm the other nation.

This cycle has continued for well over four years.

Back in the April of 2012, engineers working at Iran’s Kharg oil terminal noticed that the facility’s computer machine had stopped their normal function.

Most of us already know that the Kharg Oil Terminal is responsible for a large percentage of Iranian oil exports.

Moreover, it forms just a speck when one looks at it from the Persian Gulf perspective.

Hackers also launched a similar attack on Tehran’s Oil Ministry Headquarters.

Local news accounts reported that people working at the ministry indeed faced technical problems.

So What Happened?

Shamoon along with all its variants have multiple components to make sure infected computers are damaged

Researchers later found out that a computer virus had managed to sneak into the ministry’s computer systems.

And in the process of doing so, had disrupted its internal network.

It removed important files from the ministry’s hard drives.

And then took over their computer machines.

Some insiders in the industry initially suspected that hackers from within the country had carried out these cyber attacks.

Of course, they didn’t find any conclusive evidence that they actually did.

After a period of four months, Saudi Aramco also fell victim to a computer virus.

Saudi Aramco is currently the largest oil company in Saudi Arabia.

The computer virus erased important data on over seventy-five percent of Saudi Aramco’s computer systems.

The virus then moved ahead and replaced all files with a burning US flag image.

Officials from an American Intelligence agency said that they considered Iran as the main perpetrator.

But they did not provide any evidence either.

The chief technology officer and the co-founder of CrowdStrike, a security firm, Dmitri Alperovitch, wrote a blog post on the situation.

He said that hackers had used a malware variant of Shamoon on Saudi Aramco.

He also said that currently, he didn’t have a clear idea of the motives of these hackers.

Moreover, he noted, Iran had previously attacked Saudi Arabia as well and that complicated things further.

The fact that the two countries, Saudi Arabia and Iran, are perpetually interlocked in regional dominance via sectarian competition doesn’t help matters either.

And there are no signs that these tensions will subside anytime soon.

The other problem is that, these countries are supporting opposing armies in war-torn countries such as Yemen and Syria.

Some media reports say that intelligence agents from Iran used Shamoon malware back in 2012 as a retaliatory response to Iran’s international sanctions.

Alperovitch also believes that Iran could have carried out these attacks for this very reason.

Interestingly enough, the latest round of cyber attacks has popped up just days before the meeting of OPEC countries.

Organization of Petroleum Exporting Countries had set up a meeting in Vienna beforehand.

The participating countries decided to decrease oil production.

Reports say OPEC had not made a similar decision for the past eight years.

OPEC’s actions lead to a simultaneous increase in oil prices around the world.

Some reports also say that hackers had prepared a lot before they carried out their attack on the ministry’s operations.

Hackers first configured the malware with passwords.

They had stolen these passwords beforehand from selected organizations.

Reports also say that hackers likely used these passwords in order to spread the malware across multiple targeted companies networks.

How Did Hackers Steal The Related Credentials?

No one knows how they stole those credentials.

What some security experts do know is this:

Hackers had set the malware’s default configuration in such a way that it triggered a disk-wiping payload at about 8:45 pm on Thursday local time on the day of November 17nth.

Readers from other countries should know that the work week in Saudi Arabia is from Sunday to Thursday.

Hackers had actually timed their attack to that it would occur after most of the staff had left their offices.

And gone back home.

And since they targeted these networks on the weekend, no one from the office would have a chance to discover the attacks.

This allowed hackers to do the maximum amount of damage to these selected organizations.

Palo Alto Networks also reported that the Shamoon breach used the Disttrack malware.

They also reported that hackers considered it as a multipurpose tool.

This tool exhibited a worm-like behavior.

Moreover, it attempted to spread itself onto other computer systems as well.

It stole the relevant administrator credentials and then started to spread throughout the local network.

Palo Alto Networks reported that this malware affected a minimum of 30,000 computer machines.

And it damaged many systems in the 2012 cyber attacks.

Shamoon. What Is It? How Does It Work?

Shamoon is a type of malware.

It uses several components in order to gain access to and infect computer machines.

Among many other components, one component is the dropper.

Shamoon uses this to create a service called NtsSrv and achieves persistence on the computer it infects.

Shamoon, in a bid to spread itself to the whole local network, will copy itself on other computers as well.

Moreover, it will drop similar and additional components on other computers in order to infect them as well.

Hackers have built the dropper component in both the 64-bit version and the 32-bit version.

If a 32-bit component drops on a computer that has 64-bit architecture then it will drop the  64-bit version there we well.

Second Component

The other component that Shamoon uses is called the wiper.

The wiper itself drops a third malicious component.

This component is called Eldos driver.

Shamoon uses this component to access the infected computer’s hard disk.

It can do that directly from the infected computer’s user-mode.

In other words, it does not need any Windows APIs.

The wiper component makes use of the Eldos driver to overwrite the infected machine’s hard disk.

Shamoon wiper overwrites it with the Syrian boy image that we talked out beforehand.

Final Component

The last component that Shamoon uses is called the reporter.

The Reporter is basically responsible for managing and handling communications.

Communications between who?

Between the infected computer and the command and control server.

Hackers operate the command and control server.

The reporter can also download supplementary binaries from the command and control server.

Then it can change the already pre-configured disk-wiping scheduled time if the command and control server instructs it.

Hackers also configure the reporter to verify that the infected machine’s hard disk is now wiped clean of any data.

And it does relay that information to the command and control server.

Shamoon 2.0

Security researchers have found some Shamoon 2.0 samples via FireEye.

And they have found the following,

  • The malware Shamoon first assigns an IP address to each interface that is present on the target system.
    Then it scans the IP address’s C-class subnet.
  • After that, Shamoon attempts to access the shares related to D $ \ Windows, C $ \ Windows, ADMIN$ and the E $ \ Windows.
    It does that for all targeted systems but with the current privileges only.
  • If Shamoon finds that it can’t use the current privileges to access the above-mentioned shares, it makes use of domain specific and hard coded credentials.
    It gains these during a much earlier phase of the cyber attack in order to do the same.
    Examples include local Administrator or Domain administrator.
  • Once Shamoon has gained access it moved ahead to enable the target device’s Remote Registry service.
    Then it sets the relevant path values to zero.

    This allows it access to the share folders.

  • When Shamoon has finished earlier actions, it then starts to copy the ntssrvr32.exe to its destination on the targeted machine.
    Then it schedules an anonymous task, like Ar2.job in order to execute the actual malware.
  • Researchers found that the malware they identified used hard coded dates in order to launch its wiping component.
    When the malware has infected computer systems, they schedule the job in order to start the actual process after a short while.
  • Shamoon malware also sets the infected machine’s system clock.
    It sets it to a random date in the year 2012 and month August.
    Research analysis shows that Shamon might do this to ensure that a component (usually a genuine driver but used with malicious intent) that actually wipes the Volume Boot Record and the Master Boot Record is well within its expiry date i.e validity period for test license.
  • Researchers have also found out that the original version of Shamoon malware overwrote operating system, or OS, files with a photo of the burning American flag.
    The much recent versions want to overwrite those same Windows operating system files with a different photo.
    Basically, it overwrites them with a JPG file that depicts a Syrian child.
    More specifically, ALan Kuri, who died while he attempted to make his way across the Mediterranean Sea.

Are There Any Indicators That Can Expose A Compromise?

hackers who use Shamoon give off certain indicators that organizations can use to spot a compromise

Researchers have come up with a set of guidelines with regards to the Indicators of a Potential COmpromise.

These indicators though, are only for the recently identified variant of Shamoon.

Security researchers recommend that government agencies along with critical infrastructure organizations should immediately check for the execution or presence of the following files within the system’s Workstation environments and Windows Server locations.

An organization that exists in the Gulf Cooperation Council region must do this as soon as possible.

Moreover, security researchers also say that they recommend that all clients should now regularly test and review the recovery plans for a disaster related to all critical systems that exist in the environment.

As mentioned before, security firms such as,

  • Palo Alto
  • Symantec
  • FireEye
  • McAfee
  • CrowdStrike

all have reported on this specifically advanced sabotage malware.

Intelligence officials in the United States of America have recently said that Iran is the country that is behind such attacks.

Guidelines to Detect Shamoon On Your System

Organizations and users have to follow a specific set of guidelines in order to ensure that they can detect Shamoon malware.

They can also use these guidelines to counteract Shamoon malware activity and other Shamoon attempts in order to stop Shamoon from propagating through any given environment.

Readers should take note that any of these actions, when performed, can lead to negative effects.

Hence, one should not implement these without appropriate study and review of the environment these will impact.


  • Users should monitor any related events in their system’s SIEM that display dates close to August 2012.
  • They should also monitor their systems for any time change events.
    These events usually set the machine’s clock right back to and from the date August 2012.
  • Organizations should also monitor their systems for Remote Registry service starts
  • Companies should also monitor changes that may occur to the above-mentioned registry key values.
    They should ensure that all related registry values are non-zero.
  • Limit and sometimes prevent any unauthorized access to the above-mentioned shares.
    Or any shares that, if compromised, can impact the whole setup in a significant way.
  • Organizations should prevent client to client communications in order to slow down the rate at which the Shamoon malware spreads across the local network.
    This could also have a considerable impact on the base setup
  • Organizations should also make sure that they monitor file systems on their computer systems for any suspicious file names or indicators of the creation of such filenames.
    Security firms have come up with the list of filenames that organizations should look out for if they fear Shamoon has infected their networks.
    Users can search for those using any popular search engine
  • Security personnel should make sure that, as far as their privileged accounts are concerned, they should change their credentials.
    Moreover, they should also make sure that passwords for all local Administrator accounts are difficult and unique.
    And they should employ such strategy for each system.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.