Shamoon
Shamoon, also known as Disttrack and W32.Distrack, is a destructive Windows wiper malware family best known for the August 2012 attack on Saudi Aramco, where about 30,000 workstations were wiped; it was also discussed in connection with attacks affecting the oil and energy sector, including RasGas. The malware is designed to overwrite files and the master boot record (MBR), rendering systems unusable, and multiple reports state it was intended to make recovery difficult or impossible. Shamoon has self-propagation and lateral movement characteristics, spreading via shared network disks or network shares, and analyses describe a staged attack in which it first collects or scrapes data and file information from other systems, including reachable systems not connected to the Internet, then wipes target machines and overwrites the MBR. Symantec described Shamoon as having dropper, wiper, and reporter components; reporting also states it can send infection status, destroyed-file counts, IP address information, random identifiers, or overwritten-file information to another infected or internal machine, including observed communication to local IP 10.1.252.19. Shamoon copies an executable payload to the target system and schedules execution via an unnamed task, and it queries Registry keys to identify hard disk partitions to overwrite. It can also modify file timestamps to evade forensic detection. Technical reporting states the malware used a legitimately signed EldoS disk driver/RawDisk-style access to obtain low-level disk access and wipe disk structures including the MBR and partitions. Development artifacts included the path "C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb," from which the name was derived. Some reporting states the malware overwrote critical files with an image of a burning American flag or portions of a JPEG image. High-confidence targeting in the provided content centers on oil and energy organizations, especially in Saudi Arabia and the Gulf. Multiple references in the content link Shamoon to Iranian threat activity or Iran-linked operations; the content specifically notes U.S. government and industry reporting that associated the malware with Iran, and mentions later discussion of Shamoon waves in relation to APT33/Elfin, although one cited Symantec report said it found no further evidence that Elfin was responsible for those Shamoon attacks.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
8 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The virus, named Shamoon after a word in its code, was designed to overwrite critical files with an image of a burning American flag.
Elfin came under the spotlight in December 2018 when it was linked with a new wave of Shamoon attacks.
"CHRYSENE developed from an espionage campaign that first gained attention after the destructive Shamoon cyberattack in 2012 that impacted Saudi Aramco."
The wiper, identical to the Shamoon malware, rewrites the master boot record (MBR) on connected drives and overwrites all file contents with randomly generated bytes, effectively preventing system recovery.
The wiper, identical to the Shamoon malware, rewrites the master boot record (MBR) on connected drives and overwrites all file contents with randomly generated bytes, effectively preventing system recovery.
Researchers have identified a possible new collaborator in the continued Shamoon attacks against Saudi organizations... helping Shamoon steal user credentials of targets ahead of Shamoon’s destructive attacks.
Shamoon resurgence: Following its initial debut in 2012, Shamoon 2 and Shamoon 3 were deployed against Middle Eastern entities. These attacks utilized spearphishing to gain initial access, eventually relying on the Eldos RawDisk driver to bypass Windows APIs and overwrite the master boot record (MBR).
Shamoon resurgence: Following its initial debut in 2012, Shamoon 2 and Shamoon 3 were deployed against Middle Eastern entities. These attacks utilized spearphishing to gain initial access, eventually relying on the Eldos RawDisk driver to bypass Windows APIs and overwrite the master boot record (MBR).
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique2012 Attack Timeline • Targeted Phishing attack • Date Unknown
Execution
2 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
waste a 0-day vulnerability in order to silently install a sophisticated malware
Persistence
3 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
Privilege Escalation
2 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Stealth
5 techniquesIt also uses what appears to be a legitimate system driver to gain low-level access to a hard drive... The driver, according to Kaspersky, was digitally signed using the private cryptographic key belonging to a company called EldoS Corporation.
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
Deletes an existing driver from the following location and overwrites it with another legitimate driver: %System%\drivers\drdisk.sys
APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Defense Impairment
1 techniqueDiscovery
6 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Once a system on a network is infected, the code scrapes data from other systems via network shares, including those not connected to the internet.
Examples include "Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found," "DropBook has checked for the presence of Arabic language," and "Maze has checked the language of the infected system using the GetUSerDefaultUILanguage function."
Lateral Movement
4 techniquesThrough the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet.
Shamoon copies an executable payload to the target system by using SMB/Windows Admin Shares and then scheduling an unnamed task to execute the malware.
The fact that it was not connected to the Internet lends credence to reports that the attack may have been facilitated by a Saudi Aramco employee.
Duqu ... spread laterally by copying itself to shares it has enumerated ... The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.
Collection
2 techniquesOnce a system on a network is infected, the code scrapes data from other systems via network shares, including those not connected to the internet.
Shamoon, also known as Disttrack, is unusual as it infects a PC, steals certain data, sends the data to another infected PC and then overwrites the PC's master boot record...
Command and Control
3 techniquesThe malware also reports back to the attackers with information about the number of files that were destroyed, the IP address of the infected computer, and a random number.
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Internal Saudi Aramco PC used as proxy by attackers • Date unknown
Impact
3 techniquesIT Windows based Saudi Aramco PCs >35K begin shutting down & being wiped • 15 August 2012
Unlike many other contemporary viruses Shamoon/Disstrack does not attempt to steal data but instead tries to delete it irrecoverably.
It then wipes all the data on the target systems and overwrites the master boot record to brick the system.
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
81 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A data-wiping malware referenced as having locked 30,000 systems at Saudi Aramco in 2012.
Disk-wiping malware used in disruptive attacks; it gains access via spearphishing and overwrites the MBR using the Eldos RawDisk driver to cause destructive impact.
Destructive malware associated with the 2012 cyberattack on Saudi Aramco that disrupted operations and delayed oil production.
Destructive wiper malware previously deployed by Iranian operators against organizations in the Middle East.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.