Shamoon
Associated Software Descriptions |
|
Name | Description |
---|---|
Disttrack | (Citation: Palo Alto Shamoon Nov 2016) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Shamoon attempts to disable UAC remote restrictions by modifying the Registry.(Citation: Palo Alto Shamoon Nov 2016) |
Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
Shamoon can impersonate tokens using |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Shamoon has used HTTP for C2.(Citation: Palo Alto Shamoon Nov 2016) |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Shamoon creates a new service named “ntssrv” to execute the payload. Newer versions create the "MaintenaceSrv" and "hdv_725x" services.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018) |
Enterprise | T1561 | .002 | Disk Wipe: Disk Structure Wipe |
Shamoon has been seen overwriting features of disk structure such as the MBR.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018) |
Enterprise | T1070 | .006 | Indicator Removal: Timestomp |
Shamoon can change the modified time for files to evade forensic detection.(Citation: McAfee Shamoon December 2018) |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Shamoon creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.” Newer versions create the "MaintenaceSrv" service, which misspells the word "maintenance."(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December 2018) |
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task/Job to execute the malware.(Citation: FireEye Shamoon Nov 2016) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Shamoon copies an executable payload to the target system by using SMB/Windows Admin Shares and then scheduling an unnamed task to execute the malware.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016) |
Enterprise | T1569 | .002 | System Services: Service Execution |
Shamoon creates a new service named “ntssrv” to execute the payload. Shamoon can also spread via PsExec.(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December19 2018) |
Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
If Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.(Citation: FireEye Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018) |
References
- Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
- Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.
- Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.
- Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
- Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 19). Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems. Retrieved May 29, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.