Analysis of Shamoon 2 Disk-Wiping Malware

Shamoon 2 Malware Background

On August 15, 2012, a Saudi Arabian energy company was infected with disk-wiping malware in a targeted attack. The malware, known as either “Shamoon” or “DistTrack,” reportedly infected nearly 30,000 machines at the company in this attack.

Shamoon is highly destructive malware that is capable of spreading to other Windows systems on the network, wiping any infected system at a specified date and time. There is no remediation for affected systems other than restoring from a full backup—the system is rendered inoperable minutes after wiping begins.

Shamoon 2 Campaigns

In November of 2016, this malware resurfaced in a new campaign, again targeting Saudi Arabia. The Shamoon samples discovered as a part of this attack demonstrated nearly identical TTPs to the samples from 2012.

Shamoon appeared again in January of 2017—this time with code modifications that showed greater sophistication and new techniques. Furthermore, researchers have identified new wiper malware (named “StoneDrill”) that is potentially related to the previous Shamoon campaigns, although no active campaign using this malware has been identified.

Shamoon 2 Malware Analysis Report

LogRhythm Labs published a report revealing details behind the malware campaign commonly referred to as “Shamoon 2,” including the tactics, techniques, and procedures (TTPs) it uses.

This report provides detailed analysis of a sample discovered in the first wave of attacks in November 2016, as well as signatures to aid in the detection of this threat on the network. LogRhythm Labs is continuing to monitor activity related to Shamoon and StoneDrill, and will report on the analysis of any future discoveries.

Download the complete report to learn more about TTPs of the Shamoon 2 malware and how you can remediate it.

Read the Report

About the Researchers

Erika Noerenberg is a senior malware analyst and reverse engineer in the Threat Research Group of LogRhythm Labs in Boulder, CO. Previously, she worked as a forensic analyst and reverse engineer for the Defense Cyber Crime Center (DC3), performing system and malware examinations in support of intrusions investigations for the DoD and FBI.

Nathaniel “Q” Quist is a threat intel and incident response engineer in the Threat Research Group of LogRhythm Labs in Boulder, CO. Previously, Q worked with IBM as a security engineer for their Federal Data Center. Prior to this, he was attached to an NSA unit and performed CND and threat intelligence analysis operations. He is currently completing his master’s degree at the SANS Technology Institute.

How to Build a Miniature Network Monitor Device

LogRhythm Challenge: Black Hat 2016

The State of Ransomware: How to Prepare for an Attack

Understanding Insider Threats with UEBA

Free Training: Brush Up on Your Deep Packet Analytics Rules and Dashboard

Passive Discovery and Exploitation of Open SMB Shares