Iranian “Shamoon” Attacks Saudi Targets. Again.

It’s back! It appears that the Shamoon malware aka “Shamoon 2” is targeting Saudi computers. Back in 2012, malware known as Disttrack , under the name of Shamoon, targeted computers in Saudi Arabia, with Iran being the previous culprit. It is believed that Iran had been skilled in malware development after attacks against Iran in the form of Stuxnet in 2010. Iran may have adapted malware such as Stuxnet and Wiper to fire back against their targets. In 2012, Iran destroyed over 30,000 systems in the Saudi Aramco and RasGas Co Ltd. company networks, taking down Saudi Aramco for over one week.

The Shamoon malware, heavily based on Wiper, wipes the hard drives of Windows systems, and is relatively rare (other recent malware e.g. Mamba ransomware, will hold users to ransom to have their systems un-encrypted). Previous famous occasions involving disk-wiping software such as Shamoon include in 2012 the Dark Seoul Attack and in 2014 the attack on Sony Corporation Hollywood studios and the Sands Casino in Las Vegas. 

The 2012 Shamoon attacks against Saudi Aramco & RasGas Co Ltd. computers showed images of a burning U.S. flag and in the latest Shamoon 2 attack, a distasteful image of the body of the drowned child, Syrian refugee Alan Kurdi was used (the Iranian state blame Saudi for the situation in Syria).

Shamoon 2 was triggered to start wiping the hard drives of infected machines from 17 November 2016. This time, the Saudi targets included the administrative systems of the Saudi civil aviation and transportation ministries along with the Saudi central bank. Shamoon 2 also, after staring to wipe the hard drive, disables computers’ boot functions so it cannot recover its operating system. Similar to the attacks in 2012, Shamoon 2 was timed to detonate when most employees would be off work during a holiday(their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon 2 attacks took place on Lailat al Qadr, the holiest night of the year for Muslims.

How Shamoon and Disttrack works


Disttrack is comprised of a dropper, communications and wiper parts. The Disttrack executable dropper extracts more tools and coordinates when to save and execute when needed. Disttrack has a component responsible for communicating with a C2 server (C&C or command and control server) and another unit used to wiping the hard drives.

Disttrack tries spreading to other computer networks using previously obtained administrator credentials, similar to the 2012 Shamoon attacks, where previously compromised credentials were hard coded into the malware.

The Dropper component

The dropper’s job involves disabling User Access Control (UAC) remote restrictions on an infected computer, logs into the remote system, and uses an administrator’s stolen credentials. The payload is written to the location: system32 folder. The kernel driver is from the RawDisk product by EldoS Corporation; this gives the malware direct access to files, disks and partitions.

The Communications component

This component interacts with Disttrack’s command and control (C&C) server and using HTTP requests. The communications modules in both the x86 and x64 variants of Disttrack do not use an operational Disttrack C2 server. The lack of an operational C2 server means the Iranian attackers had no need to remotely access the targeted computers; instead the intention was to destroy the target computers.

If Disttrack were configured with an operational C2 server, the module would issue an HTTP GET request that starts with GET http://server/category/page.php?shinu=ja1p9/…
This is perhaps additional evidence of Iranian involvement, because “shinu” may refer to the name of a village in NW Iran.

The Wiper component

The wiper component installs a kernel driver that allows it to begin writing to protected parts of the system. Those include the Master Boot Record (MBR) and partition tables of storage volumes.
After overwriting the target had drives, Disttrack instructs the target computer to restart. The computer shuts down, but because the malware has overwritten the partition tables, the machine cannot boot again. All system and user data is lost and the system has to be formatted and reinstalled.

Indicators of Compromise

Disttrack Droppers

47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34 (x64)
394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b (x86)

Communication Components

772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5 (x64)
61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842 (x86)

Wiper Components

c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a (x64)
128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd (x86)

EldoS RawDisk

5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a (x64)
4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6 (x86)


Zero Days: Film about Nitro Zeus & Stuxnet


Zero Days is a new film about investigations of the world’s first cyber weapon known as Stuxnet and Operation Olympic Games. Stuxnet is malicious software that can obscure and harm critical data. The film talks about another even more powerful cyber weapon, known as Nitro Zeus.


Stuxnet is a malicious cyber worm, possibly of US and Israeli origin, It targeted the Iranian nuclear facilities at Natanz to make it look like a number of accidents.

Stuxnet specifically targets programmable logic controllers (PLCs), which allow the automation of electromechanical processes e.g.control machinery on factory assembly lines, or centrifuges for separating nuclear material.

Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet compromised Iranian PLCs, collecting information on industrial systems and causing the centrifuges to be destroyed.

Stuxnet’s design and architecture are not domain-specific and it could be tailored as a platform for attacking modern SCADA and PLC systems (e.g., in automobile or power plants), the majority of which reside in Europe, Japan and the US.Stuxnet reportedly ruined almost one-fifth of Iran’s nuclear centrifuges.

Operation Olympic Games

Operation Olympic Games was a covert and campaign of sabotage by means of cyber disruption, directed at Iranian nuclear facilities by the United States and maybe also by Israel.

Nitro Zeus

Nitro Zeus provided the NSA (National Security Agency) the ability to attack Iran’s command-and-control systems, which would obstruct the whole country’s communication capabilities.

The state-sponsored cyber hack would also disable Iranian air defenses, and harm financial systems as well as vital components of the power grid. This would allow US and Israeli aircraft to survey the area without being shot down.

The operation was in place as a second option just in case diplomacy and negotiations did not go smoothly. The cyber program was never actually used.


The Zero Days trailer can be found at the official site here


Yaser Balaghi Leaves Calling Card After Hacking the IDF

Iranian hacker made grave error in hacking a former chief of staff of the Israeli Defense Force (IDF).

The hacker Tehran-based Yaser Balaghi (see photo above), later boasted of the hack, but he also accidentally left behind a digital calling card which let his identity be exposed.

His grave error caused Iran to stop the hacking operation which targeted 1800 people globally, including Israeli army generals, human rights activists in the Persian Gulf and scientists. 

The cyber operation hacking group known as “Rocket Kitten” (linked with the Iranian Revolutionary Guards and identified in 2014), started the attack in November 2015, and targets received email messages aimed at sending spyware into their computers.

More than 25% of people targeted had opened the emails and without knowing downloaded spyware and allowed hackers to steal information from computers.

The cyber attacks originated from Iran against targets in Israel and the Middle East with Israeli generals among the targets.

The hackers used techniques including “targeted phishing” (where hackers use false web pages that look like real ones to get user identification data) and then hacked 40 targets in Israel and 500 across the world.

The Israeli targets included generals, employees of security consulting firms and academic researchers.

CheckPoint Software researchers revealed the identity of Balaghi when they found that Balaghi goes by the handle of “Wool3n.H4T”.

Not only did Rocket Kitten hackers leave default passwords in place and allow password-less root access to their server management software but they infected their own C&C (Command & Control) server with their keylogger malware…but then left it in place #fail.

The CheckPoint researchers were then able to harvest the usernames and passwords of any accounts which the hackers had logged on to from their server.Oh dear…

In addition to allow password-less root access to any browsing visitor the hackers made many other basic mistakes including failing to hide a path to the server from where the attacks originated.

That provided clear evidence that the attacks originated in Iran #timeforanewjob

CheckPoint discovered Balaghi’s (Wool3n.H4T) AOL account (AOL, really?!), with his uber 7337 password of: 123456789 (double #fail). This took them to a Farsi resume which he had posted online to boast of hacking work which he had done for “a cyber-organization” presumably an Iranian security agency 🙂

The researchers found a database which lists the names of the members of the hacking crew (apparently real ones as they were typical Iranian first and family names #lol),
as well as links to web pages infected with their malware (which was also found on the server).

Additionally the database includes a list of nearly 2000 targets with their names, email addresses and other information, targeted since August 2014 when it appears that the currently used server was activated.

The investigators discovered in one of the false web pages that look like real ones the name of Yaser Balaghi who appears to be “Rocket Kitten” team leader, based on internal messages and emails. From there he is found easily with a quick Internet search (see below).

This is shameful example of bad Iranian OPSEC and completely undermines their otherwise arguable technical skills #awkward

Where’s Yaser? Here!: (His main site)


Iranian Hackers and Romanian Hackers Work Together

Norse Intelligence Analysis Team identified several indicators that reveal a trend of hacking groups in Middle East working closely with European hackers to share tactics and techniques for conducting attacks.

According to Norse reports this trend shows a pattern of direct and continuous contact between Middle Eastern hackers traveling to Europe to obtain training and experience then staying or returning home to begin political attacks on global targets.

Norse offers three cases to support this theory, including one case of Iranian hacking group Ashiyane Digital Security Team -ADST-.

According to Norse reports Ashiyane Digital Security Team and Romanian Security Team -RST-, which is the largest online hacker community based in Romania, have been exchanging exploit and target data.

A series of posts on the RST forum announced a list of compromised Simple Message Text Protocol -SMTP- systems. A large number of the same compromised systems appeared six months later in a post on the Ashiyane forum from a hacker, who it is known he operates in France. Some of the compromised SMTP systems were identified by Norse that they are used in phishing campaigns as well as other malicious activity.


The Ottoman Hackers? Middle Eastern and Eastern European Exploit Exchange Program


Ashiyane Digital Security Team
Romanian Security Team


Iranian Dark Coders Hacking Team: Everywhere and Anywhere but not Harmless

A presentation at American security conference BlackHat USA in Las Vegas, has said that Iran appears to be actively seeking for critical national infrastructure systems connected to the Internet to exploit them.

At BlackHat USA Trend Micro researchers Kyle Wilhoit and Stephen Hilt revealed how their honeypot version of a Vedeer-Root Guardian AST gas gauge monitoring system (nickname «Gaspot») apparently fooled some Iranian hackers.

The Iranian hacking group Iranian Dark Coders, so called IDC-Team, modified the names of two pumps situated in Jordan. The IDC-Team which is best known for defacements and malware distribution, renamed two different tank names in the systems, one as «H4CK3D by IDC-TEAM» and other as «AHAAD Was Here»


This is not a new thing. As a Google search will show IDC-Team has been hacking websites for a long time. According to their Facebook page the team started in 2012 and have grown since then in to a team with many members on its forum talking about hacks and bugs and computer security.

Over the last year IDC-Team have submitted more than 950 website defacements of targets all over the world. Many of these defacements are government sites (,, or companies with famous products (Jeep). This shows that the team have hacking skills that are enough advanced to damage to secure websites.

Why do they hack?

Despite the amount of hacks by IDC-Team and who they hack it is clear their agenda is little more than publicity. Their defacements are advertisements for their community and the individuals involved and they are not messages of hate and violence.

IDC-Team is everywhere and goes anywhere as Trend Micro revealed. However they appear to be looking for recognition as computer security experts and not hacktivists.


Iran claims to stop Dino Malware attack

Iran confirms that spy malwarecalled Dino is targeting sensitive centers inside the country since one and half years ago.

Masoud Biglarian, head of the Computer Emergency Response Team Coordination Center (CERTCC), said that after malware was discovered the CERTCC which is subset of the Information and Communication Technology (ICT) sent a secret report to the countrys officials about the issue.

According to Irans Mehr news agency Biglarian said: «We took appropriate measures to prevent damage to the strategic centers of the country by Dino».

He also said that Dino is a type of Spyware such as Stuxnet that is designed for specific purposes and launches targeted attacks.

He rejected claims that the malware infected some sensitive centers inside the country.

Last week some western media outlets reported that Dino malware which searches for specific data and steals it has infected some organizations inside Iran.

Security firm ESET researchers in Bratislava, Slovakia identified the sophisticated Dino Trojan that attacked Iranian and Syrian targets in 2013 and it is rumor that the group is a secret part of the French Intelligence service.

Dino was supposedly created by the so-called Animal Farm Group which also created other Trojans like Bunny, Casper and Babar. Casper malwares claim to fame is that it was involved in a large scale attack on computer systems in Syria last autumn.

ESET claims that Dinos main goal seems to be the exfiltration of files from its targets.

Large scale cyber attacks on Iranian facilities started in 2010 after the US and Israel reportedly tried to disrupt the operation of Irans nuclear facilities through a worm that later became known as Stuxnet.

US intelligence officials revealed in June 2013 that the Stuxnet malware was not only designed to disrupt the Irans nuclear program but also was part of a wider campaign directed from Israel that included assassination of the countrys nuclear scientists.

Stuxnet is the first discovered worm that spies on industrial systems and reprograms them. It is written specifically to attack SCADA systems that are used to control and monitor industrial processes.

In September 2013 the Islamic Republic of Iran said that the computer worm Stuxnet infected 30 000 IP addresses in Iran but it denied reports that the cyber worm had damaged computer systems at the countrys nuclear power plants.


Project “Pistachio Harvest”

Months of research in Iranian networks is uncovering at least 16000 systems controlled by Iran outside borders and 2000 of these were infected machines of businesses in the US, Israel and other countries.

Many of the Internet Protocol addresses (IPs) of those machines are hosting .ir websites, domains that are used as platforms for attacks. According to the company, in many cases visitors to those sites are later infected with malware, software designed specifically for surveillance and to obtain valuable data from target organisations.

Most targets are in the US although attacks have also hit including UK, Israel, Germany and Canada. Various US and European hosting companies also have been abused. Cloud and hosting services of industry giants like Amazon and GoDaddy are used to launch the attacks.

Norse believes previous research into Iranian activity may included false assumptions about the actors involved as Iran has been able at creating disinformation and used more than 5000 fake social networking profiles to trick viewers to following tracks to nobody and nowhere.

iSight released a report and claimed that these fake profiles were used to spy on military leaders and political staff across the world.

Norse set up fake systems that appeared to belong to businesses and critical infrastructure providers that was attractive to attackers. The organization collected data of subsequent attacks and traced a large number to Iran. Norse also used “millions of sensors dropped all over the world” and analysis tools for tracing.

Turkey and Iran collaborate on cyber issues and is reported that Turkey in exchange for oil and other goods helped Iran circumvent US and European sanctions that were implemented in response to that country’s nuclear programs.

Rival security research firm CrowdStrike says that it tracks four different Iranian groups that it calls Kittens. Each Kitten is separate from the other and has its own modus operandi and target list. Finally there is Cutting Kitten.

Role of Iran’s Universities

Islamic Republic of Iran has other ways in encour aging IT entrepreneurs follow its commands. For example the role of government in Iran’s university system is enormous. The regime invested large amounts in building IT and other scientific infrastructure at the top educational institutions including Sharif Univer sity of Technology, Shahid Beheshti Universityand IRGC linked Malek Ashtar University and in return can direct research in ways to pursue regime objectives.

The development of Iran’s nuclear weapons program after 2003 is an example for understand ing the evolution of the relationship between gov ernment, security services and universities in IT. When Supreme Leader Khamenei ordered stop to Iran’s state nuclear weapons research program after the US invasion to Iraq in 2003 and his lieutenants built a new structure that spread rel evant research through the university system.

The scale and effects of this effort are visible but assessing the level of awareness and or willingness of all the univer sity participants in it is not easy and Iran’s IT sector works in a similar fashion. Government and secu rity institutions collaborate with universities in research to achieve government aims and make faculties and students components of regime strategic efforts. Students after graduation find themselves in a network of associations and research projects that mostly also supports regime priorities, whether they know or not.

The Islamic Republic also uses incentives created by mandatory military service to encourage aspiring young programmers to support state security efforts directly. At least one scientist involved in research related to development of nuclear weapons writes in his resume that he was exempted from com pulsory military service in exchange for work on a project deemed useful to the armed forces. This pro gram of exemption was developed in 2007.

Therefore Iran’s leaders have carefully and consciously built national IT, education and corporate infrastruc tures that produce excellently educated developers with incentives to pursue government objectives and not use skills against the government. They have involved Iran’s security organs especially the IRGC, through these structures in ways to allow the regime uses these IT and hacking capabilities with plausible deniability. In addition they have built an internet infrastructure designed to hide the sources of malicious activity and give the government the ability to monitor, regulate and control citizens access to the internet in extremely detailed ways.

Full details of the Norse Project Pistachio Harvest report are found here:

Regin Malware is “Groundbreaking”

Symantec has revealed details about malware called “Regin”. This shows a multi-stage attack that is capable of being adapted easily to gather different types of data. According to Symantec this is not just screen grabs and password information but something far more sophisticated. Symantec claims that it has identified dozens of different payloads that Regin has access to. 
Once Regin has acquired the data it encrypts the data and then exfiltrates it. The stolen data may never be written to disk but may be sent back immediately and the encryption means that security devices and software do not easily detected this.
Symantec describes how Regin uses special features to stay below the detection radar: “These include anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5, which isn’t commonly used. Regin uses multiple sophisticated means to covertly communicate with the attacker including via ICMP/ping, embedding commands in HTTP cookies, and custom TCP and UDP protocols.”
Regin has been found in 10 countries and the targets seem to be key business sectors, individuals and small businesses. The full list of countries and targets which Symantec gives are:
  • 28% Russian Federation
  • 24% Saudi Arabia
  • 9% Mexico
  • 9% Ireland
  • 5% India
  • 5% Afghanistan
  • 5% Iran
  • 5% Belgium
  • 5% Austria
  • 5% Pakistan
  • 48% Private individuals and small businesses
  • 28% Telecoms backbone
  • 9% Hospitality
  • 5% Energy
  • 5% Airline
  • 5% Research
Symantec describes Regin as follows: “In the world of malware threats, only a few examples can truly be considered groundbreaking and almost peerless. What we have seen in Regin is just such a class of malware.”

Iran Cyber Attack Feared Soon

Fears are growing that Iran will release cyber warfare on US companies if negotiators fail to reach a nuclear deal by Monday that would require Iran limits its nuclear program.
Cyber-attacks from Tehran dropped after the US, Iran and other countries agreed an interim nuclear deal in 2013, but if discussions in Vienna failed before a November. 24 deadline, observers expect a new series of attacks.
American financial companies, oil and gas companies and water filtration systems could be among the targeted companies. 
The US has not yet faced the full force of Iran’s rapidly developing cyber capabilities. Iran initially increased its cyber efforts in 2010 and launched a barrage of simplistic attacks on the US financial sector in 2012. Detecting such relatively harmless attacks was easy.  
Over the last two years, Iran has formed a Supreme Council of Cyberspace that meets once a month and includes President Hassan Rouhani.
Iranian officials also strengthened cybersecurity research partnerships with Russia and Iran has gone from a nascent to a burgeoning cyber power.
Security company FireEye described that one popular Iranian hacking group went from website defacements in 2010 to “malware-based espionage” in just four years.
It is reported that Iranian hackers attacked oil giant Saudi Aramco, the world’s most valuable company, and deleted the contents of 30,000 computers. The same virus also hit Qatar-based liquid petroleum gas firm RasGas.
While the US is bombarded with cyber attacks, it has never been the subject of a large-scale destructive attack. So far Tehran’s hackers are mostly suspected of probing around US infrastructure networks to understand their designs.
But if the nuclear talks fell apart that could change. And this time an Iranian attack could be more advanced.