Iranian “Shamoon” Attacks Saudi Targets. Again.

It’s back! It appears that the Shamoon malware aka “Shamoon 2” is targeting Saudi computers. Back in 2012, malware known as Disttrack , under the name of Shamoon, targeted computers in Saudi Arabia, with Iran being the previous culprit. It is believed that Iran had been skilled in malware development after attacks against Iran in the form of Stuxnet in 2010. Iran may have adapted malware such as Stuxnet and Wiper to fire back against their targets. In 2012, Iran destroyed over 30,000 systems in the Saudi Aramco and RasGas Co Ltd. company networks, taking down Saudi Aramco for over one week.

The Shamoon malware, heavily based on Wiper, wipes the hard drives of Windows systems, and is relatively rare (other recent malware e.g. Mamba ransomware, will hold users to ransom to have their systems un-encrypted). Previous famous occasions involving disk-wiping software such as Shamoon include in 2012 the Dark Seoul Attack and in 2014 the attack on Sony Corporation Hollywood studios and the Sands Casino in Las Vegas. 

The 2012 Shamoon attacks against Saudi Aramco & RasGas Co Ltd. computers showed images of a burning U.S. flag and in the latest Shamoon 2 attack, a distasteful image of the body of the drowned child, Syrian refugee Alan Kurdi was used (the Iranian state blame Saudi for the situation in Syria).

Shamoon 2 was triggered to start wiping the hard drives of infected machines from 17 November 2016. This time, the Saudi targets included the administrative systems of the Saudi civil aviation and transportation ministries along with the Saudi central bank. Shamoon 2 also, after staring to wipe the hard drive, disables computers’ boot functions so it cannot recover its operating system. Similar to the attacks in 2012, Shamoon 2 was timed to detonate when most employees would be off work during a holiday(their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon 2 attacks took place on Lailat al Qadr, the holiest night of the year for Muslims.

How Shamoon and Disttrack works


Disttrack is comprised of a dropper, communications and wiper parts. The Disttrack executable dropper extracts more tools and coordinates when to save and execute when needed. Disttrack has a component responsible for communicating with a C2 server (C&C or command and control server) and another unit used to wiping the hard drives.

Disttrack tries spreading to other computer networks using previously obtained administrator credentials, similar to the 2012 Shamoon attacks, where previously compromised credentials were hard coded into the malware.

The Dropper component

The dropper’s job involves disabling User Access Control (UAC) remote restrictions on an infected computer, logs into the remote system, and uses an administrator’s stolen credentials. The payload is written to the location: system32 folder. The kernel driver is from the RawDisk product by EldoS Corporation; this gives the malware direct access to files, disks and partitions.

The Communications component

This component interacts with Disttrack’s command and control (C&C) server and using HTTP requests. The communications modules in both the x86 and x64 variants of Disttrack do not use an operational Disttrack C2 server. The lack of an operational C2 server means the Iranian attackers had no need to remotely access the targeted computers; instead the intention was to destroy the target computers.

If Disttrack were configured with an operational C2 server, the module would issue an HTTP GET request that starts with GET http://server/category/page.php?shinu=ja1p9/…
This is perhaps additional evidence of Iranian involvement, because “shinu” may refer to the name of a village in NW Iran.

The Wiper component

The wiper component installs a kernel driver that allows it to begin writing to protected parts of the system. Those include the Master Boot Record (MBR) and partition tables of storage volumes.
After overwriting the target had drives, Disttrack instructs the target computer to restart. The computer shuts down, but because the malware has overwritten the partition tables, the machine cannot boot again. All system and user data is lost and the system has to be formatted and reinstalled.

Indicators of Compromise

Disttrack Droppers

47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34 (x64)
394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b (x86)

Communication Components

772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5 (x64)
61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842 (x86)

Wiper Components

c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a (x64)
128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd (x86)

EldoS RawDisk

5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a (x64)
4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6 (x86)


Iran’s “National Internet” Project: Doomed to Fail.

The National Internet aka Intranet

Iran has rolled out the start of the “National Internet” Project for all Iranian citizens to “enjoy”. According to Tasnim news agency, the national internet operates independently of all others networks (in other words, the Internet we all know and love)and is designed to operate domestically.

The national internet was started in 2005(delayed by increased costs and delays)and the final two phases are due to be completed by 2017. The second phase will add cutting-edge content such as videos. Expect that in February 2017. The third and final phase will include among other things, services for Iranian business with international services. Err…

Filternet: it’s all over

The previous attempt by the Iranian regime known as the “filternet” or the “smart web” (designed to limit access to the evil parts of the existing internet), has failed miserably because it is easy for Iranians to use proxy servers or VPN connections to get around the “filters” put in place by the regime.  

Mahmoud Vaezi: filternet was all his fault

Iran‘s Communications and Information Technology minister Mahmoud Vaezi was behind the smart web filtering project, but he now says that the “filternet” is inefficient. So, he’s really saying it has not worked. And it’s all his fault. You can see here that Vaezi thought “filternet” was a great success, while hypocritically using foreign companies to help set it up. Confused? No doubt Vaezi will have to wipe the egg off his face when not only the “filternet” but also the national internet, fails to stop Iranians from accessing sites on the WWW.

Iran seems fine with the hypocrisy that use of a Californian company’s SmartFilter was used in the development of “filternet”…

Why bother?

To replace “filternet”, the national internet is deliberately meant to create an isolated domestic intranet for Islamic content and also attempt to improve cyber security (by not exposing Iranians to the evil Western Internet).

Well, Iran’s president Hassan Rouhani thinks it will magically strengthen the independence of the country. At a meeting of the Supreme Council of Cyberspace, according to the Iranian Republic News Agency (IRNA), Rouhani said that Iranian independence is increased by “not relying on external information networks for internal communications in today’s world”.

Hassan Rouhani: backing the National Internet

Rouhani vainly tries to convince Iranians (no one is falling for it), that they will play a more active role in furthering Iran’s role in the world if Iranians get access to a, “national, trustworthy, stable, high-quality and secure network” (cyber security in Iran is a bit of a hot topic in a post-Stuxnet world).

What this really means is that Iranians are meant to only be able to access content that is delivered from within Iran, with all servers being based in Iran.

Don’t panic

Like the failure of the existing “filternet”, the “National Internet” will NOT be able to control Iranian access to the wider, “unclean” Internet. Why not? Well, if filters can be easily bypassed, so can this. If Iran cannot control use of Telegram for example (Telegram has no servers in Iran), does she really think control can be made otherwise? 

Less computer-literate people may not normally be able to access sites such as Facebook, Twitter, Flickr, YouTube, etc. but such sites can still be accessible using means such as described above.


Zero Days: Film about Nitro Zeus & Stuxnet


Zero Days is a new film about investigations of the world’s first cyber weapon known as Stuxnet and Operation Olympic Games. Stuxnet is malicious software that can obscure and harm critical data. The film talks about another even more powerful cyber weapon, known as Nitro Zeus.


Stuxnet is a malicious cyber worm, possibly of US and Israeli origin, It targeted the Iranian nuclear facilities at Natanz to make it look like a number of accidents.

Stuxnet specifically targets programmable logic controllers (PLCs), which allow the automation of electromechanical processes e.g.control machinery on factory assembly lines, or centrifuges for separating nuclear material.

Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet compromised Iranian PLCs, collecting information on industrial systems and causing the centrifuges to be destroyed.

Stuxnet’s design and architecture are not domain-specific and it could be tailored as a platform for attacking modern SCADA and PLC systems (e.g., in automobile or power plants), the majority of which reside in Europe, Japan and the US.Stuxnet reportedly ruined almost one-fifth of Iran’s nuclear centrifuges.

Operation Olympic Games

Operation Olympic Games was a covert and campaign of sabotage by means of cyber disruption, directed at Iranian nuclear facilities by the United States and maybe also by Israel.

Nitro Zeus

Nitro Zeus provided the NSA (National Security Agency) the ability to attack Iran’s command-and-control systems, which would obstruct the whole country’s communication capabilities.

The state-sponsored cyber hack would also disable Iranian air defenses, and harm financial systems as well as vital components of the power grid. This would allow US and Israeli aircraft to survey the area without being shot down.

The operation was in place as a second option just in case diplomacy and negotiations did not go smoothly. The cyber program was never actually used.


The Zero Days trailer can be found at the official site here


Iran claims to stop Dino Malware attack

Iran confirms that spy malwarecalled Dino is targeting sensitive centers inside the country since one and half years ago.

Masoud Biglarian, head of the Computer Emergency Response Team Coordination Center (CERTCC), said that after malware was discovered the CERTCC which is subset of the Information and Communication Technology (ICT) sent a secret report to the countrys officials about the issue.

According to Irans Mehr news agency Biglarian said: «We took appropriate measures to prevent damage to the strategic centers of the country by Dino».

He also said that Dino is a type of Spyware such as Stuxnet that is designed for specific purposes and launches targeted attacks.

He rejected claims that the malware infected some sensitive centers inside the country.

Last week some western media outlets reported that Dino malware which searches for specific data and steals it has infected some organizations inside Iran.

Security firm ESET researchers in Bratislava, Slovakia identified the sophisticated Dino Trojan that attacked Iranian and Syrian targets in 2013 and it is rumor that the group is a secret part of the French Intelligence service.

Dino was supposedly created by the so-called Animal Farm Group which also created other Trojans like Bunny, Casper and Babar. Casper malwares claim to fame is that it was involved in a large scale attack on computer systems in Syria last autumn.

ESET claims that Dinos main goal seems to be the exfiltration of files from its targets.

Large scale cyber attacks on Iranian facilities started in 2010 after the US and Israel reportedly tried to disrupt the operation of Irans nuclear facilities through a worm that later became known as Stuxnet.

US intelligence officials revealed in June 2013 that the Stuxnet malware was not only designed to disrupt the Irans nuclear program but also was part of a wider campaign directed from Israel that included assassination of the countrys nuclear scientists.

Stuxnet is the first discovered worm that spies on industrial systems and reprograms them. It is written specifically to attack SCADA systems that are used to control and monitor industrial processes.

In September 2013 the Islamic Republic of Iran said that the computer worm Stuxnet infected 30 000 IP addresses in Iran but it denied reports that the cyber worm had damaged computer systems at the countrys nuclear power plants.


Duqu 2.0: ‘Almost Invisible’ Cyber Espionage Tool Targeted Russian Co., Linked to Iran Nuclear Talks

A Russiancyber security company says that it has discovered a highly-technical, “almost invisible” cyber espionage tool that targeted the company’s own servers and other systems around the world, including some linked to the controversial Iranian nuclear negotiations.
KasperskyLabs which is based in Moscow announced that the discovery of the worm, called Duqu 2.0, which the company said it found this spring after the worm had penetrated through its system for “months.”
Kaspersky claims that after discovering the worm, started its investigation to find out other victims of the attack and found that some of the “infections are linked to the P5+1 events and venues related to negotiations with Iranabout a nuclear deal.”
The Wall Street Journal was the first news agency to publish the news about Duqu 2.0. According to the Wall Street, computers at three luxury European hotels where negotiations had been held were among the worm’s victims.

Eugene Kaspersky said that the company cannot say definitely who is behind the attack, but he believes that due to its sophistication and technical links to previous next-generation computer worms, the attack is most possibly been carried out by a government.

Kaspersky said that the name of the Duqu 2.0 was chosen for this worm because it appeared to be an upgraded version of the Duquworm which was another highly-sophisticated espionage tool discovered in 2011.
Kaspersky said, We can’t prove attribution because they’re going through proxy servers. “There are technical attributions we can read from the code. This attack is a relative, it’s a new generation of the Duqu attack, most probably made by the same people, or they shared the source code with others.”
Symantec which is a large cyber security company in America agreed that Duqu 2.0 is a evolution of the original threat that was created by the same group of attackers.

Symantec also reported Duqu 2.0 appears to have targeted European and North African telecom operators and a South East Asian electronic equipment manufacturer. Symantec had reported in 2012 that the Duqu threat had not been eliminated and that a new version of the worm had been discovered then.
Duqu and Duqu 2.0 is closely linked to Stuxnet, which is a revolutionary cyber-weapon that was believed to have physically damaged an Iranian nuclear facility and that was suspected to be a result of the joint US-Israeli top secret operation’s. 

When the original Duqu was discovered in 2011, Symantec reported that it “shares large number of codes with Stuxnet” and the same suspicions were raise about whether the attackers were the same or if source code had been shared.
Wall Street Journal in its report today said that Duqu 2.0 was “commonly believed to be used by Israeli spies.”
But according to Kaspersky Labs, Duqu 2.0 code also included a number of “false flag” clues to hide/mislead who was behind it. One was a mention in the code of a nickname for a Chinese military officer who was one of five indicted by the U.S. in an extraordinary move by the Department of Justice against Chinese cyber espionage. Another report mentioned a prolific Romanian hacker.
Kaspersky claims that such false flags are relatively easy to spot, especially when the attacker is very careful not to make any other mistakes,”