{"id":68479,"date":"2017-01-27T10:59:46","date_gmt":"2017-01-27T18:59:46","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=68479"},"modified":"2025-06-05T18:48:27","modified_gmt":"2025-06-06T01:48:27","slug":"spotlight-on-shamoon","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spotlight-on-shamoon\/","title":{"rendered":"Spotlight on Shamoon"},"content":{"rendered":"

Our analysis this month has pointed to Shamoon emerging in the Middle East. We have recently seen a number of similarities that we had highlighted in our earlier blogs (on mcafee.com).<\/a> The campaign continues to target organizations in the Middle East from a variety of verticals. Reports suggest that a further 15 disk-wiping Shamoon incidents have occurred in public and private sectors.<\/p>\n

Rev.2 campaign<\/h2>\n

The code for the current revision is almost identical to the original version: Changes include the addition of a victim\u2019s credentials to spread and execute the wiper in a large part of the environment. In the following screenshot, we can see that the old encoded resource names PKCS12, PKCS7, and X509 are still present in the new variants but not used.<\/p>\n

\"Screen<\/p>\n

A question that many of us in the industry have asked ourselves is How were the attackers able to gain the credentials from so many victims in the Middle East? Let\u2019s approach this from the attacker\u2019s view and follow the Cyber Kill Chain steps.<\/p>\n

Reconnaissance<\/strong><\/h2>\n

An attack group prepares a plan and identifies the victims it wants to hit to create an impact or make a statement. The group gathers email addresses and other open-source intelligence as the first step to preparing for the campaign. They register domains, code backdoors, and prepare for the reconnaissance phase. When all is tested, the initial attack starts with spear phishing:<\/p>\n

\"Screen<\/p>\n

The victims receive emails, for example, one like the preceding business proposal. The email also contains a tempting attachment. When opening the attachment, some victims saw this:<\/p>\n

\"Screen<\/p>\n

Any requirement to activate macros before seeing content should set off alarm bells. Analyzing the document, we received confirmation of our suspicions:<\/p>\n

\"Screen<\/p>\n

Decoding the obfuscated macro code results in a PowerShell script that proceeds to download a file, a Trojan capable of gathering system information and downloading other tools.<\/p>\n

In other cases, we found a backdoor using a PowerShell script to gather information from the system and write to a temporary file. A\u00a0code snippet:<\/p>\n

\"Screen<\/p>\n

We also found a script that creates an instance of Mimikatz, a tool known to dump user credentials from a computer:<\/p>\n