Iranian “Shamoon” Attacks Saudi Targets. Again.

It’s back! It appears that the Shamoon malware aka “Shamoon 2” is targeting Saudi computers. Back in 2012, malware known as Disttrack , under the name of Shamoon, targeted computers in Saudi Arabia, with Iran being the previous culprit. It is believed that Iran had been skilled in malware development after attacks against Iran in the form of Stuxnet in 2010. Iran may have adapted malware such as Stuxnet and Wiper to fire back against their targets. In 2012, Iran destroyed over 30,000 systems in the Saudi Aramco and RasGas Co Ltd. company networks, taking down Saudi Aramco for over one week.

The Shamoon malware, heavily based on Wiper, wipes the hard drives of Windows systems, and is relatively rare (other recent malware e.g. Mamba ransomware, will hold users to ransom to have their systems un-encrypted). Previous famous occasions involving disk-wiping software such as Shamoon include in 2012 the Dark Seoul Attack and in 2014 the attack on Sony Corporation Hollywood studios and the Sands Casino in Las Vegas. 

The 2012 Shamoon attacks against Saudi Aramco & RasGas Co Ltd. computers showed images of a burning U.S. flag and in the latest Shamoon 2 attack, a distasteful image of the body of the drowned child, Syrian refugee Alan Kurdi was used (the Iranian state blame Saudi for the situation in Syria).

Shamoon 2 was triggered to start wiping the hard drives of infected machines from 17 November 2016. This time, the Saudi targets included the administrative systems of the Saudi civil aviation and transportation ministries along with the Saudi central bank. Shamoon 2 also, after staring to wipe the hard drive, disables computers’ boot functions so it cannot recover its operating system. Similar to the attacks in 2012, Shamoon 2 was timed to detonate when most employees would be off work during a holiday(their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon 2 attacks took place on Lailat al Qadr, the holiest night of the year for Muslims.

How Shamoon and Disttrack works


Disttrack is comprised of a dropper, communications and wiper parts. The Disttrack executable dropper extracts more tools and coordinates when to save and execute when needed. Disttrack has a component responsible for communicating with a C2 server (C&C or command and control server) and another unit used to wiping the hard drives.

Disttrack tries spreading to other computer networks using previously obtained administrator credentials, similar to the 2012 Shamoon attacks, where previously compromised credentials were hard coded into the malware.

The Dropper component

The dropper’s job involves disabling User Access Control (UAC) remote restrictions on an infected computer, logs into the remote system, and uses an administrator’s stolen credentials. The payload is written to the location: system32 folder. The kernel driver is from the RawDisk product by EldoS Corporation; this gives the malware direct access to files, disks and partitions.

The Communications component

This component interacts with Disttrack’s command and control (C&C) server and using HTTP requests. The communications modules in both the x86 and x64 variants of Disttrack do not use an operational Disttrack C2 server. The lack of an operational C2 server means the Iranian attackers had no need to remotely access the targeted computers; instead the intention was to destroy the target computers.

If Disttrack were configured with an operational C2 server, the module would issue an HTTP GET request that starts with GET http://server/category/page.php?shinu=ja1p9/…
This is perhaps additional evidence of Iranian involvement, because “shinu” may refer to the name of a village in NW Iran.

The Wiper component

The wiper component installs a kernel driver that allows it to begin writing to protected parts of the system. Those include the Master Boot Record (MBR) and partition tables of storage volumes.
After overwriting the target had drives, Disttrack instructs the target computer to restart. The computer shuts down, but because the malware has overwritten the partition tables, the machine cannot boot again. All system and user data is lost and the system has to be formatted and reinstalled.

Indicators of Compromise

Disttrack Droppers

47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34 (x64)
394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b (x86)

Communication Components

772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5 (x64)
61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842 (x86)

Wiper Components

c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a (x64)
128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd (x86)

EldoS RawDisk

5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a (x64)
4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6 (x86)


US Releases Iranian Hacker

30 year old Iranian hacker Nima Golestaneh was extradited to the US from Turkey last year suspected of hacking attack against American military aerospace contractor Arrow Tech Associates (Vermont, USA).

In October 2012 Golestaneh broke into the servers of the company which builds ballistics prediction and testing software, and accessed its databases in attempt to steal software worth $millions.

US investigators identified that Golestaneh was in Turkey and he was then extradited to the US last year for trial on charges of wire fraud, unauthorized access to computers and money laundering.

However Golestaneh was pardoned by the United States and sent back to the Islamic Republic before being sentenced.
It seems that Golestaneh was part of an active Iranian hacking team that targets both US infrastructure and defense companies as well as the Las Vegas Sands casino email system.


Iranian Hackers Attack State Dept. via Social Media Accounts

Iran launched sophisticated computer espionages leading to a series of cyberattacks against US State Department officials over the past month.

It is possible that cyberespionage is becoming the tool of seeking the type of influence that Iranian hardliners hoped that that country’s nuclear program will eventually provide.

According to diplomatic and law enforcement officials who are familiar with the investigation Iranian hackers over the past month identified individual State Department officials who focus on Iran and the Middle East and broke into their email and social media accounts. The State Department became aware of the compromises when Facebook told the victims that the state-sponsored hackers compromised their accounts.

Iran’s cyberskills are not yet equal to those of Russia or China but the attack against the State Department by using the social media accounts of young government employees to gain access to their friends across the administration is a focus that was not seen before.

Iranians have been less destructive than they could be, but they are getting far more aggressive in cyberespionage, which they know is less likely it will prompt a response from the United States.

Iranian hackers have been responsible for a series of powerful attacks against American banks that took their websites offline as well as a destructive attack on Saudi Aramco, the world’s largest oil producer, that replaced data on employee machines with an image of a burning American flag. American government officials also blame Iran for a similarly destructive attack at RasGas, the Qatari natural gas giant,and for an attack on Sands Casino in Las Vegas, where a large number of computers were destroyed.

Last year Iranians began using cyberattacks for espionage rather than for destruction and disruption. From May 2014 Iranian hackers were targeting Iranian dissidents and later policy makers,senior military personnel and defense contractors in the United States, England and Israel.

The attacks were basic “spear phishing” attempts, in which attackers tried to lure their victims to click on a malicious link, in this case by impersonating members of the news media.
Iranian hackers were successful in more than a quarter of their attempts. The number of such attacks reached its climax in May just ahead of the nuclear talks in Vienna in July and reached more than 1,500 attempts.

In the months before the talks, Iran’s hackers began probing critical infrastructure networks in what appeared reconnaissance for cyberattacks with the objective of causing physical damage but in June and July as American and Iranian negotiators gathered in Vienna to agree a deal on Iran’s nuclear program, attacks against targets in the United States stopped. Instead of this, Iran started targeting victims in Israel as well as members of Daesh in July as the militant group began expanding territory across Iraq.

Then in August just two weeks after the nuclear accord was reached, the trickle of cyberattacks against the group’s usual targets resumed against included 1600 individuals from scholars, scientists, chief executives and ministry officials to education institutes, journalists and human rights activists. If facebook last month had not decided to use a new alert system to notify users when facebook’s security team believed state-sponsored hackers had hijacked their accounts, and US State Department officials began to see a troubling new message pop up on their facebook accounts, it is possible that the victims didn’t learn of the compromises.


Iran’s Cyberarmy: Is “Norse Company” as good as they think they are?

A report has been recently issued regarding Iran’s possible plans to carry out cyberattacksin USA. This report is really surprising not only because of the shocking claims but also the identity of the reporters. A Silicon Valley cyber security Company and a Washington think tank which has been one of the strong oppositions of the nuclear deal with Iran had issued this report. The report warns that if US removed the sanctions against Iran, the Iranian government will use the money to strengthen its Cyber warfare program.

However, it is interesting to know that before publication of the report, the Silicon Valley cyber security company has been sharing his information about Iran’s cyber warfare with US intelligence organisations. According to some US government officials, the information provided by the security company received negative reactions from the US officials that were trying to reach nuclear deal with Iran.

Based on this report, which was written by the cyber security company Norsein January of this year, Norse company claimed that it had data on “more than 500,000 attacks on Industrial Control systems over the last 24 months” referring to the computers that help to run electricity generation companies, hydroelectric facilities, and other critical infrastructure in the U.S.

Norse’s claim of half a million “attacks” is a very large number and they haven’t explained or shown any evidence in the document to prove their claim. They have just mentioned that more details are forthcoming in a report that the company will publish “later this year.” The bulletin also claims that Iran is targeting computer systems and Web sites inside the United States.

It seems that Norse company’s conclusions were based on the idea that Iran was behind malicious cyber activity just because the traffic was emanating from particular Internet protocol addresses located in Iran. But hackersroutinely use IP addresses outside their own country to hide their true location.
Iranian cyber attacks against U.S. are not new: the cyber attack on the Sandscasino company destroyed some of the company’s information assets and Iran was behind an attack on U.S. bank websites in 2012. However, the Norse document was making some of the most possible serious claims in cyber security accusing Iran as a country hostile to the U.S. targeting industrial control systems. 

Later, Norse appeared to remove its findings when its joint report was published in April and the claim of 500,000 attacks is nowhere to be found in that document. The findings also says that Iran specifically targeted Industrial Control Systems (ICS) in the United States 47 times during 2014. Yet again, the final report also doesn’t include that statement.
This report was intended to present a strategic view of Iran’s capabilities in cyberspace—which many U.S. officials have described as growing and dangerous and not to provide evidence for the U.S. to carry out some retaliatory action before any crime has taken place.
Kurt Stammberger, who is a senior deputy managing director at Norse, defended the report by saying that “briefing summaries [such as the bulletin] make theories that sometimes, atthe end of the day, aren’t produced by the data”.

Norse’s critics say that it isn’t definitive enough to say that Iran was certainly trying to target industrial control systems. And it could make Iran look like more of a threat than it might actually be.

Even some of Norse’s critics have said that their ability to collect huge amounts of technical data is impressive and important. Although we don’t deny the company’s expertise but they are clearly not an expert on Iran.