Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Shamoon
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Shamoon
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Shamoon

Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)
ID: S0140
Associated Software: Disttrack
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 31 May 2017
Last Modified: 09 Feb 2021

Associated Software Descriptions
Name Description
Disttrack (Citation: Palo Alto Shamoon Nov 2016)

Techniques Used
Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Shamoon attempts to disable UAC remote restrictions by modifying the Registry.(Citation: Palo Alto Shamoon Nov 2016)
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

Shamoon can impersonate tokens using LogonUser, ImpersonateLoggedOnUser, and ImpersonateNamedPipeClient.(Citation: McAfee Shamoon December 2018)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Shamoon has used HTTP for C2.(Citation: Palo Alto Shamoon Nov 2016)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Shamoon creates a new service named “ntssrv” to execute the payload. Newer versions create the "MaintenaceSrv" and "hdv_725x" services.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)
Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

Shamoon has been seen overwriting features of disk structure such as the MBR.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)
Enterprise T1070 .006 Indicator Removal: Timestomp

Shamoon can change the modified time for files to evade forensic detection.(Citation: McAfee Shamoon December 2018)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Shamoon creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.” Newer versions create the "MaintenaceSrv" service, which misspells the word "maintenance."(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December 2018)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task/Job to execute the malware.(Citation: FireEye Shamoon Nov 2016)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Shamoon copies an executable payload to the target system by using SMB/Windows Admin Shares and then scheduling an unnamed task to execute the malware.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)
Enterprise T1569 .002 System Services: Service Execution

Shamoon creates a new service named “ntssrv” to execute the payload. Shamoon can also spread via PsExec.(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December19 2018)
Enterprise T1078 .002 Valid Accounts: Domain Accounts

If Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.(Citation: FireEye Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)

References

  1. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  2. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  3. Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.
  4. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
  5. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
  6. Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 19). Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems. Retrieved May 29, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.