Iranian “Shamoon” Attacks Saudi Targets. Again.

It’s back! It appears that the Shamoon malware aka “Shamoon 2” is targeting Saudi computers. Back in 2012, malware known as Disttrack , under the name of Shamoon, targeted computers in Saudi Arabia, with Iran being the previous culprit. It is believed that Iran had been skilled in malware development after attacks against Iran in the form of Stuxnet in 2010. Iran may have adapted malware such as Stuxnet and Wiper to fire back against their targets. In 2012, Iran destroyed over 30,000 systems in the Saudi Aramco and RasGas Co Ltd. company networks, taking down Saudi Aramco for over one week.

The Shamoon malware, heavily based on Wiper, wipes the hard drives of Windows systems, and is relatively rare (other recent malware e.g. Mamba ransomware, will hold users to ransom to have their systems un-encrypted). Previous famous occasions involving disk-wiping software such as Shamoon include in 2012 the Dark Seoul Attack and in 2014 the attack on Sony Corporation Hollywood studios and the Sands Casino in Las Vegas. 

The 2012 Shamoon attacks against Saudi Aramco & RasGas Co Ltd. computers showed images of a burning U.S. flag and in the latest Shamoon 2 attack, a distasteful image of the body of the drowned child, Syrian refugee Alan Kurdi was used (the Iranian state blame Saudi for the situation in Syria).

Shamoon 2 was triggered to start wiping the hard drives of infected machines from 17 November 2016. This time, the Saudi targets included the administrative systems of the Saudi civil aviation and transportation ministries along with the Saudi central bank. Shamoon 2 also, after staring to wipe the hard drive, disables computers’ boot functions so it cannot recover its operating system. Similar to the attacks in 2012, Shamoon 2 was timed to detonate when most employees would be off work during a holiday(their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon 2 attacks took place on Lailat al Qadr, the holiest night of the year for Muslims.

How Shamoon and Disttrack works


Disttrack is comprised of a dropper, communications and wiper parts. The Disttrack executable dropper extracts more tools and coordinates when to save and execute when needed. Disttrack has a component responsible for communicating with a C2 server (C&C or command and control server) and another unit used to wiping the hard drives.

Disttrack tries spreading to other computer networks using previously obtained administrator credentials, similar to the 2012 Shamoon attacks, where previously compromised credentials were hard coded into the malware.

The Dropper component

The dropper’s job involves disabling User Access Control (UAC) remote restrictions on an infected computer, logs into the remote system, and uses an administrator’s stolen credentials. The payload is written to the location: system32 folder. The kernel driver is from the RawDisk product by EldoS Corporation; this gives the malware direct access to files, disks and partitions.

The Communications component

This component interacts with Disttrack’s command and control (C&C) server and using HTTP requests. The communications modules in both the x86 and x64 variants of Disttrack do not use an operational Disttrack C2 server. The lack of an operational C2 server means the Iranian attackers had no need to remotely access the targeted computers; instead the intention was to destroy the target computers.

If Disttrack were configured with an operational C2 server, the module would issue an HTTP GET request that starts with GET http://server/category/page.php?shinu=ja1p9/…
This is perhaps additional evidence of Iranian involvement, because “shinu” may refer to the name of a village in NW Iran.

The Wiper component

The wiper component installs a kernel driver that allows it to begin writing to protected parts of the system. Those include the Master Boot Record (MBR) and partition tables of storage volumes.
After overwriting the target had drives, Disttrack instructs the target computer to restart. The computer shuts down, but because the malware has overwritten the partition tables, the machine cannot boot again. All system and user data is lost and the system has to be formatted and reinstalled.

Indicators of Compromise

Disttrack Droppers

47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34 (x64)
394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b (x86)

Communication Components

772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5 (x64)
61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842 (x86)

Wiper Components

c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a (x64)
128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd (x86)

EldoS RawDisk

5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a (x64)
4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6 (x86)


Operation Cleaver: Mass Hacking By Iranian State

Iranian hackers have been identified as the source of coordinated attacks against more than 50 targets in 16 countries, many of them corporate and government entities that manage critical energy, transportation and medical services.
According to Cylance, a security firm based in California in USA, over the course of two years Iranian hackers managed to steal confidential data from a long list of targets and in some cases infiltrated victims computer networks to such an extent that they could take over, manipulate or easily destroy data on those machines.
Cylance called the attacks “Operation Cleaver” because the word cleaver appeared often in the attackers malicious code.
The hackers used a set of tools that can spy and even shut down critical control systems and computer networks, and aimed them at targets in the United States, Canada, Israel, India, Qatar, Kuwait, Mexico, Pakistan, Saudi Arabia, Turkey, the United Arab Emirates, Germany, France, England, China and South Korea. 
Victims of the attacks include: US Marine Corps, a major airline, a medical university, an energy company that specializes in natural gas production, a car manufacturer, a major military installation and a large military contractor. The Islamic Republic also concentrated attacks on oil and gas industries and universities in the United States, India, Israel and South Korea and managed to steal pictures, passports and specific identifying information for students and faculty. 
Cylance said it also collected worrying evidence of attacks on transport networks, including airlines and airports in South Korea, Saudi Arabia and Pakistan. Researchers said they found evidence that hackers gained complete remote access to airport gates and security control systems, “potentially allowing them to spoof gate credentials.”


NEWSCASTER: Iran Attacks Social Media

Iranian state targeted the public and private sector in the US, Israel, UK and beyond using social media.
Iranian hackers use more than ten fake identities on social networking sites (Facebook, Twitter, LinkedIn, Google+, YouTube, Blogger) in a coordinated long-term cyber espionage campaign.  At least 2,000 people are caught in the snare and are connected to the false identities.
This campaign is working undetected since 2011 and targets senior American military and diplomatic personnel, congressional personnel, Washington DC journalists, US think tanks, defense contractors in the US and Israel, and others who are loud supporters of Israel to covertly obtain log-in credentials to the email systems of these victims. They targeted also additional victims in the UK as well as Saudi Arabia and Iraq.
The targeting, operational schedule and infrastructure used in this campaign is consistent with Iranian origins.
The fake identities claim they work in journalism, government and defense contracting. These accounts are elaborate and create credibility using among other tactics a fictitious journalism website that copies news content from other media outlets.
These credible identities then connected, linked, followed and friended target victims to get access to information on location, activities and relationships from updates and other common content.
These identities then targeted accounts with spear-phishing messages. Links which appeared to be legitimate asked recipients to log in to false pages to capture credential information. It is not clear at this time how many credentials the attack captured so far.
Additionally this campaign is linked to malware. While the malware is not very sophisticated, but it includes capability that can be used for data exfiltration.
The discovery and investigation of the attack reveals three critical insights:
  1. Social media offers a powerful and hidden route to target key government and industry leadership through an external base possibly outside of existing security measures.
  2. With reference to targeting associated with this campaign it is possible that Iranian hackers used accesses gained through these activities to support the development of weapon systems, reveal the disposition of the US military or the US alliance with Israel or give an advantage in negotiations between Iran and the US. Furthermore it is possible that any access or knowledge could be used as reconnaissance-for-attack before disruptive or destructive activities
  3. These adversaries are improving in finding and exploiting opportunities to carry out cyber espionage, even if they lacked sophisticated capability.  NEWSCASTER’s success is largely due to patience, brazen nature and innovative use of multiple social media platforms.
    It seems that the NEWSCASTER network targets mainly senior military and policymakers, companies associated with defense technology and the US-Israel lobby, however there are also victims in the financial and energy sectors as well as elsewhere and only a part of the accounts connected to this network were seen. Organizations involved in critical infrastructure or have information that may be of strategic or tactical interest to a nation-state adversary should be concerned about a threat such as this.