{"id":93157,"date":"2018-12-14T12:32:41","date_gmt":"2018-12-14T20:32:41","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=93157"},"modified":"2024-02-19T23:01:58","modified_gmt":"2024-02-20T07:01:58","slug":"shamoon-returns-to-wipe-systems-in-middle-east-europe","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/","title":{"rendered":"Shamoon Returns to Wipe Systems in Middle East, Europe"},"content":{"rendered":"<p>Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or even financial aims.<\/p>\n<p>Destructive attacks have a critical impact on businesses, causing the loss of data or crippling business operations. When a company is impacted, the damage can be significant. Restoration can take weeks or months, while resulting in unprofitability and diminished reputation.<\/p>\n<p>Recent attacks have demonstrated how big the damage can be. Last year NotPetya affected several companies around the world. Last February, researchers uncovered OlympicDestroyer, which affected the Olympic Games organization.<\/p>\n<p>Shamoon is destructive malware that McAfee has been monitoring since its appearance. The most recent wave struck early this month when the McAfee Foundstone Emergency Incident Response team reacted to a customer\u2019s breach and identified the latest variant. Shamoon hit oil and gas companies in the Middle East in 2012 and resurfaced in 2016 targeting the same industry. This threat is critical for businesses; we recommend taking appropriate actions to defend your organizations.<\/p>\n<p>During the past week, we have observed a new variant attacking several sectors, including oil, gas, energy, telecom, and government organizations in the Middle East and southern Europe.<\/p>\n<p>Similar to the previous wave, Shamoon Version 3 uses several mechanisms as evasion techniques to bypass security as well to circumvent analysis and achieve its ends. However, its overall behavior remains the same as in previous versions, rendering detection straightforward for most antimalware engines.<\/p>\n<p>As in previous variants, Shamoon Version 3 installs a malicious service that runs the wiper component. Once the wiper is running, it overwrites all files with random rubbish and triggers a reboot, resulting in a \u201cblue screen of death\u201d or a driver error and making the system inoperable. The variant can also enumerate the local network, but in this case does nothing with that information. This variant has some bugs, suggesting the possibility that this version is a beta or test phase.<\/p>\n<p>The main differences from earlier versions are the name list used to drop the malicious file and the fabricated service name MaintenaceSrv (with \u201cmaintenance\u201d misspelled). The wiping component has also been designed to target all files on the system with these options:<\/p>\n<ul>\n<li>Overwrite file with garbage data (used in this version and the samples we analyzed)<\/li>\n<li>Overwrite with a file (used in Shamoon Versions 1 and 2)<\/li>\n<li>Encrypt the files and master boot record (not used in this version)<\/li>\n<\/ul>\n<p>Shamoon is modular malware: The wiper component can be reused as a standalone file and weaponized in other attacks, making this threat a high risk. The post presents our findings, including a detailed analysis and indicators of compromise.<\/p>\n<h2>Analysis<\/h2>\n<p>Shamoon is a dropper that carries three resources. The dropper is responsible for collecting data as well as embedding evasion techniques such as obfuscation, antidebugging, or antiforensic tricks. The dropper requires an argument to run.<\/p>\n<p>It decrypts the three resources and installs them on the system in the %System% folder. It also creates the service MaintenaceSrv, which runs the wiper. The typo in the service name eases detection.<\/p>\n<p>The Advanced Threat Research team has watched this service evolve over the years. The following tables highlight the differences:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93159\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-1.png\" alt=\"\" width=\"993\" height=\"499\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-1.png 993w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-1-300x151.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-1-768x386.png 768w\" sizes=\"auto, (max-width: 993px) 100vw, 993px\" \/><\/a><br \/>\nThe wiper uses ElRawDisk.sys to access the user\u2019s raw disk and overwrites all data in all folders and disk sectors, causing a critical state of the infected machine before it finally reboots.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93160\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-2.png\" alt=\"\" width=\"993\" height=\"200\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-2.png 993w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-2-300x60.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-2-768x155.png 768w\" sizes=\"auto, (max-width: 993px) 100vw, 993px\" \/><\/a><\/p>\n<p>The result is either a blue screen or driver error that renders the machine unusable.<\/p>\n<h2>Overview<\/h2>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93163\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-6.png\" alt=\"\" width=\"1104\" height=\"1725\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-6.png 1104w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-6-192x300.png 192w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-6-768x1200.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-6-655x1024.png 655w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-6-320x500.png 320w\" sizes=\"auto, (max-width: 1104px) 100vw, 1104px\" \/><\/a><\/p>\n<h2><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-6b.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93192\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-6b.png\" alt=\"\" width=\"1003\" height=\"276\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-6b.png 1003w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-6b-300x83.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-6b-768x211.png 768w\" sizes=\"auto, (max-width: 1003px) 100vw, 1003px\" \/><\/a><\/h2>\n<h2>Dropper<\/h2>\n<h3>Executable summary<\/h3>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-A.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-93221 size-large\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-A-1024x253.png\" alt=\"\" width=\"1024\" height=\"253\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-A-1024x253.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-A-300x74.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-A-768x190.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-A.png 1254w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>The dropper contains other malicious components masked as encrypted files embedded in PE section.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-4.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93215\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-4.tif.png\" alt=\"\" width=\"202\" height=\"80\" \/><\/a><\/p>\n<p>These resources are decrypted by the dropper and contain:<\/p>\n<ul>\n<li>MNU: The communication module<\/li>\n<li>LNG: The wiper component<\/li>\n<li>PIC: The 64-bit version of the dropper<\/li>\n<\/ul>\n<p>Shamoon 2018 needs an argument to run and infect machines. It decrypts several strings in memory that gather information on the system and determine whether to drop the 32-bit or 64-bit version.<\/p>\n<p>It also drops the file key8854321.pub (MD5: 41f8cd9ac3fb6b1771177e5770537518) in the folder c:\\Windows\\Temp\\key8854321.pub.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-5.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93214\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-5.tif.png\" alt=\"\" width=\"427\" height=\"124\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-5.tif.png 427w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-5.tif-300x87.png 300w\" sizes=\"auto, (max-width: 427px) 100vw, 427px\" \/><\/a><\/p>\n<p>The malware decrypts two files used later:<\/p>\n<ul>\n<li>C:\\Windows\\inf\\mdmnis5tQ1.pnf<\/li>\n<li>C:\\Windows\\inf\\averbh_noav.pnf<\/li>\n<\/ul>\n<p>Shamoon enables the service RemoteRegistry, which allows a program to remotely modify the registry. It also <a href=\"https:\/\/support.microsoft.com\/en-us\/help\/951016\/description-of-user-account-control-and-remote-restrictions-in-windows\">disables remote user account control<\/a> by enabling the registry key LocalAccountTokenFilterPolicy.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-7.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93213\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-7.tif.png\" alt=\"\" width=\"425\" height=\"191\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-7.tif.png 425w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-7.tif-300x135.png 300w\" sizes=\"auto, (max-width: 425px) 100vw, 425px\" \/><\/a><\/p>\n<p>The malware checks whether the following shares exist to copy itself and spread:<\/p>\n<ul>\n<li>ADMIN$<\/li>\n<li>C$\\WINDOWS<\/li>\n<li>D$\\WINDOWS<\/li>\n<li>E$\\WINDOWS<\/li>\n<\/ul>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-8.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93212\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-8.tif.png\" alt=\"\" width=\"520\" height=\"93\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-8.tif.png 520w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-8.tif-300x54.png 300w\" sizes=\"auto, (max-width: 520px) 100vw, 520px\" \/><\/a><\/p>\n<p>Shamoon queries the service to retrieve specific information related to the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/services\/localservice-account\">LocalService account<\/a>.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-9.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93211\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-9.tif.png\" alt=\"\" width=\"376\" height=\"234\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-9.tif.png 376w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-9.tif-300x187.png 300w\" sizes=\"auto, (max-width: 376px) 100vw, 376px\" \/><\/a><\/p>\n<p>It then retrieves the resources within the PE file to drop the components. Finding the location of the resource:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-10.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93210\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-10.tif.png\" alt=\"\" width=\"459\" height=\"425\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-10.tif.png 459w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-10.tif-300x278.png 300w\" sizes=\"auto, (max-width: 459px) 100vw, 459px\" \/><\/a><\/p>\n<p>Shamoon creates the file and sets the time to August 2012 as an antiforensic trick. It puts this date on any file it can destroy.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-11.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93209\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-11.tif.png\" alt=\"\" width=\"282\" height=\"397\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-11.tif.png 282w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-11.tif-213x300.png 213w\" sizes=\"auto, (max-width: 282px) 100vw, 282px\" \/><\/a><\/p>\n<p>The modification time can be used as an antiforensic trick to bypass detection based on the timeline, for example. We also observed that in some cases the date is briefly modified on the system, faking the date of each file.\u00a0The files dropped on the system are stored in C:\\\\Windows\\System32\\.<\/p>\n<p>Before creating the malicious service, Shamoon elevates its privilege by impersonating the token. It first uses LogonUser and ImpersonateLoggedOnUser, then ImpersonateNamedPipeClient. Metasploit uses a similar technique to elevate privileges.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-12.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93208\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-12.tif.png\" alt=\"\" width=\"286\" height=\"525\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-12.tif.png 286w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-12.tif-163x300.png 163w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-12.tif-272x500.png 272w\" sizes=\"auto, (max-width: 286px) 100vw, 286px\" \/><\/a><\/p>\n<p>Elevating privileges is critical for malware to perform additional system modifications, which are usually restricted.<\/p>\n<p>Shamoon creates the new malicious service MaintenaceSrv. It creates the service with the option Autostart (StartType: 2) and runs the service with its own process (ServiceType: 0x10):<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-13.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93207\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-13.tif.png\" alt=\"\" width=\"325\" height=\"247\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-13.tif.png 325w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-13.tif-300x228.png 300w\" sizes=\"auto, (max-width: 325px) 100vw, 325px\" \/><\/a><\/p>\n<p>If the service is already created, it changes the configuration parameter of the service with the previous configuration.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-14.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93206\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-14.tif.png\" alt=\"\" width=\"333\" height=\"263\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-14.tif.png 333w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-14.tif-300x237.png 300w\" sizes=\"auto, (max-width: 333px) 100vw, 333px\" \/><\/a><\/p>\n<p>It finally finishes creating MaintenaceSrv:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-15.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93173\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-15.png\" alt=\"\" width=\"953\" height=\"547\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-15.png 953w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-15-300x172.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-15-768x441.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-15-871x500.png 871w\" sizes=\"auto, (max-width: 953px) 100vw, 953px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-16.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93174\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-16.png\" alt=\"\" width=\"604\" height=\"132\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-16.png 604w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-16-300x66.png 300w\" sizes=\"auto, (max-width: 604px) 100vw, 604px\" \/><\/a><\/p>\n<p>The wiper dropped on the system can have any one of the following names:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-42.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93228\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-42.png\" alt=\"\" width=\"555\" height=\"631\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-42.png 555w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-42-264x300.png 264w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-42-440x500.png 440w\" sizes=\"auto, (max-width: 555px) 100vw, 555px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Next the wiper runs to destroy the data.<\/p>\n<h2>Wiper<\/h2>\n<p>The wiper component is dropped into the System32 folder. It takes one parameter to run. The wiper driver is embedded in its resources.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-B.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-93220 size-large\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-B-1024x222.png\" alt=\"\" width=\"1024\" height=\"222\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-B-1024x222.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-B-300x65.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-B-768x167.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-B.png 1252w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>We can see the encrypted resources, 101, in this screenshot:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-19.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93205\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-19.tif.png\" alt=\"\" width=\"266\" height=\"177\" \/><\/a><\/p>\n<p>The resource decrypted is the driver ElRawDisk.sys, which wipes the disk.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-20.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93204\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-20.tif.png\" alt=\"\" width=\"667\" height=\"39\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-20.tif.png 667w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-20.tif-300x18.png 300w\" sizes=\"auto, (max-width: 667px) 100vw, 667px\" \/><\/a><\/p>\n<p>Extracting the resource:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-21.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93203\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-21.tif.png\" alt=\"\" width=\"658\" height=\"295\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-21.tif.png 658w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-21.tif-300x134.png 300w\" sizes=\"auto, (max-width: 658px) 100vw, 658px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-C.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-93219 size-large\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-C-1024x220.png\" alt=\"\" width=\"1024\" height=\"220\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-C-1024x220.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-C-300x64.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-C-768x165.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-C.png 1248w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>This preceding file is not malicious but is considered risky because it is the original driver.<\/p>\n<p>The wiper creates a service to run the driver with the following command:<\/p>\n<pre style=\"padding-left: 30px;\">sc create hdv_725x type= kernel start= demand binpath= WINDOWS\\hdv_725x.sys 2&gt;&amp;1 &gt;nul<\/pre>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-22.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93180\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-22.png\" alt=\"\" width=\"273\" height=\"279\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-22.png 273w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-22-24x24.png 24w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-22-48x48.png 48w\" sizes=\"auto, (max-width: 273px) 100vw, 273px\" \/><\/a>\u00a0<a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-23.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93181\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-23.png\" alt=\"\" width=\"245\" height=\"803\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-23.png 245w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-23-153x500.png 153w\" sizes=\"auto, (max-width: 245px) 100vw, 245px\" \/><\/a><\/p>\n<p>The following screenshot shows the execution of this command:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-24.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93202\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-24.tif.png\" alt=\"\" width=\"604\" height=\"207\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-24.tif.png 604w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-24.tif-300x103.png 300w\" sizes=\"auto, (max-width: 604px) 100vw, 604px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>The malware overwrites every file in c:\\Windows\\System32, placing the machine in a critical state. All the files on the system are overwritten.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-25.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93183\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-25.png\" alt=\"\" width=\"447\" height=\"901\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-25.png 447w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-25-149x300.png 149w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-25-248x500.png 248w\" sizes=\"auto, (max-width: 447px) 100vw, 447px\" \/><\/a><\/p>\n<p>The overwriting process:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-26.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93201\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-26.tif.png\" alt=\"\" width=\"604\" height=\"215\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-26.tif.png 604w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-26.tif-300x107.png 300w\" sizes=\"auto, (max-width: 604px) 100vw, 604px\" \/><\/a><\/p>\n<p>Finally, it forces the reboot with the following command:<\/p>\n<pre style=\"padding-left: 30px;\">Shutdown -r -f -t 2<\/pre>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-27.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93185\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-27.png\" alt=\"\" width=\"316\" height=\"447\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-27.png 316w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-27-212x300.png 212w\" sizes=\"auto, (max-width: 316px) 100vw, 316px\" \/><\/a>\u00a0<a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-28.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93200\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-28.tif.png\" alt=\"\" width=\"411\" height=\"161\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-28.tif.png 411w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-28.tif-300x118.png 300w\" sizes=\"auto, (max-width: 411px) 100vw, 411px\" \/><\/a><\/p>\n<p>Once the system is rebooted it shows a blue screen:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-29.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93187\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-29.png\" alt=\"\" width=\"422\" height=\"260\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-29.png 422w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-29-300x185.png 300w\" sizes=\"auto, (max-width: 422px) 100vw, 422px\" \/><\/a><\/p>\n<h2>Worm<\/h2>\n<p>The worm component is extracted from the resources from the dropper. Destructive malware usually uses spreading techniques to infect machines as quickly as possible.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-D.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-93218 size-large\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-D-1024x222.png\" alt=\"\" width=\"1024\" height=\"222\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-D-1024x222.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-D-300x65.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-D-768x167.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-D.png 1254w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>The worm component can take the following names:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-30.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93188\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-30.png\" alt=\"\" width=\"805\" height=\"865\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-30.png 805w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-30-279x300.png 279w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-30-768x825.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-30-465x500.png 465w\" sizes=\"auto, (max-width: 805px) 100vw, 805px\" \/><\/a><\/p>\n<p>We noticed the capability to scan for the local network and connect to a potential control server:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-31.tif.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93199\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-31.tif.png\" alt=\"\" width=\"238\" height=\"518\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-31.tif.png 238w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-31.tif-138x300.png 138w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-31.tif-230x500.png 230w\" sizes=\"auto, (max-width: 238px) 100vw, 238px\" \/><\/a><\/p>\n<p>Although the worm component can spread the dropper and connect to a remote server, the component was not used in this version.<\/p>\n<h2>Conclusion<\/h2>\n<p>Aside from the major destruction this malware can cause, the wiper component can be used independently from the dropper. The wiper does not have to rely on the main stub process. The 2018 Shamoon variant\u2019s functionality indicates modular development. This enables the wiper to be used by malware droppers other than Shamoon.<\/p>\n<p>Shamoon is showing signs of evolution; however, these advancements did not escape detection by McAfee DATs. We expect to see additional attacks in the Middle East (and beyond) by these adversaries. We will continue to monitor our telemetry and will update this analysis as we learn more.<\/p>\n<p>&nbsp;<\/p>\n<h2>MITRE ATT&amp;CK&#x2122; matrix<\/h2>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-33.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93190\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-33.png\" alt=\"\" width=\"1136\" height=\"317\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-33.png 1136w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-33-300x84.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-33-768x214.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181214-Shamoon-33-1024x286.png 1024w\" sizes=\"auto, (max-width: 1136px) 100vw, 1136px\" \/><\/a><\/p>\n<h2>Indicators of compromise<\/h2>\n<p>df177772518a8fcedbbc805ceed8daecc0f42fed\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Original dropper x86<br \/>\nceb7876c01c75673699c74ff7fac64a5ca0e67a1 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Wiper<br \/>\n10411f07640edcaa6104f078af09e2543aa0ca07\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Worm module<br \/>\n43ed9c1309d8bb14bd62b016a5c34a2adbe45943\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 key8854321.pub<br \/>\nbf3e0bc893859563811e9a481fde84fe7ecd0684\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 RawDisk driver<\/p>\n<p>&nbsp;<\/p>\n<h2>McAfee detection<\/h2>\n<ul>\n<li>Trojan-Wiper!DE07C4AC94A5<\/li>\n<li>RDN\/Generic.dx<\/li>\n<li>Trojan-Wiper<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by&#8230;<\/p>\n","protected":false},"author":1028,"featured_media":93005,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1411,5526,338,180],"coauthors":[5540,4688,5349,3576],"class_list":["post-93157","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs","tag-advanced-persistent-threats","tag-advanced-threat-research","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Shamoon Returns to Wipe Systems in Middle East, Europe | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Shamoon Returns to Wipe Systems in Middle East, Europe | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2018-12-14T20:32:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-20T07:01:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/Digitally-Generated-Image-of-Online-Virus-Concept.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2048\" \/>\n\t<meta property=\"og:image:height\" content=\"1415\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Alexandre Mundo, Thomas Roccia, Jessica Saavedra-Morales, Christiaan Beek\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ValthekOn\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Alexandre Mundo, Thomas Roccia, Jessica Saavedra-Morales, Christiaan Beek\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/\"},\"author\":{\"name\":\"Alexandre Mundo\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c3f45299d8c53eed9afcc781d0664cb0\"},\"headline\":\"Shamoon Returns to Wipe Systems in Middle East, Europe\",\"datePublished\":\"2018-12-14T20:32:41+00:00\",\"dateModified\":\"2024-02-20T07:01:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/\"},\"wordCount\":1346,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/Digitally-Generated-Image-of-Online-Virus-Concept.jpg\",\"keywords\":[\"advanced persistent threats\",\"Advanced Threat Research\",\"endpoint protection\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/\",\"name\":\"Shamoon Returns to Wipe Systems in Middle East, Europe | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/Digitally-Generated-Image-of-Online-Virus-Concept.jpg\",\"datePublished\":\"2018-12-14T20:32:41+00:00\",\"dateModified\":\"2024-02-20T07:01:58+00:00\",\"description\":\"Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/Digitally-Generated-Image-of-Online-Virus-Concept.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/Digitally-Generated-Image-of-Online-Virus-Concept.jpg\",\"width\":2048,\"height\":1415},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Shamoon Returns to Wipe Systems in Middle East, Europe\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c3f45299d8c53eed9afcc781d0664cb0\",\"name\":\"Alexandre Mundo\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/80b0982f90036536db33ea6886ff3c35\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/07\/alex-150x150.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/07\/alex-150x150.png\",\"caption\":\"Alexandre Mundo\"},\"description\":\"Alexandre Mundo, Senior Malware Analyst is part of Mcafee's Advanced Threat Research team. He reverses the new threads in advanced attacks and make research of them in a daily basis. He is focused in APT and new, and old but very active, ransomware attacks and malware. He performs malware and forensic analysis and teach junior malware analysts and has developed training courses, workshops and presentations of malware analysis. He worked as freelance and consultor in the past too.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/alexandre-mundo-alguacil-38a98011a\/\",\"https:\/\/x.com\/ValthekOn\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/alexandre-mundo\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Shamoon Returns to Wipe Systems in Middle East, Europe | McAfee Blog","description":"Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Shamoon Returns to Wipe Systems in Middle East, Europe | McAfee Blog","og_description":"Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2018-12-14T20:32:41+00:00","article_modified_time":"2024-02-20T07:01:58+00:00","og_image":[{"width":2048,"height":1415,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/Digitally-Generated-Image-of-Online-Virus-Concept.jpg","type":"image\/jpeg"}],"author":"Alexandre Mundo, Thomas Roccia, Jessica Saavedra-Morales, Christiaan Beek","twitter_card":"summary_large_image","twitter_creator":"@ValthekOn","twitter_site":"@McAfee","twitter_misc":{"Written by":"Alexandre Mundo, Thomas Roccia, Jessica Saavedra-Morales, Christiaan Beek","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/"},"author":{"name":"Alexandre Mundo","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c3f45299d8c53eed9afcc781d0664cb0"},"headline":"Shamoon Returns to Wipe Systems in Middle East, Europe","datePublished":"2018-12-14T20:32:41+00:00","dateModified":"2024-02-20T07:01:58+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/"},"wordCount":1346,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/Digitally-Generated-Image-of-Online-Virus-Concept.jpg","keywords":["advanced persistent threats","Advanced Threat Research","endpoint protection","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/","name":"Shamoon Returns to Wipe Systems in Middle East, Europe | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/Digitally-Generated-Image-of-Online-Virus-Concept.jpg","datePublished":"2018-12-14T20:32:41+00:00","dateModified":"2024-02-20T07:01:58+00:00","description":"Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/Digitally-Generated-Image-of-Online-Virus-Concept.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/Digitally-Generated-Image-of-Online-Virus-Concept.jpg","width":2048,"height":1415},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Shamoon Returns to Wipe Systems in Middle East, Europe"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c3f45299d8c53eed9afcc781d0664cb0","name":"Alexandre Mundo","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/80b0982f90036536db33ea6886ff3c35","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/07\/alex-150x150.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/07\/alex-150x150.png","caption":"Alexandre Mundo"},"description":"Alexandre Mundo, Senior Malware Analyst is part of Mcafee's Advanced Threat Research team. He reverses the new threads in advanced attacks and make research of them in a daily basis. He is focused in APT and new, and old but very active, ransomware attacks and malware. He performs malware and forensic analysis and teach junior malware analysts and has developed training courses, workshops and presentations of malware analysis. He worked as freelance and consultor in the past too.","sameAs":["https:\/\/www.linkedin.com\/in\/alexandre-mundo-alguacil-38a98011a\/","https:\/\/x.com\/ValthekOn"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/alexandre-mundo\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/93157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/1028"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=93157"}],"version-history":[{"count":1,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/93157\/revisions"}],"predecessor-version":[{"id":183205,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/93157\/revisions\/183205"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/93005"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=93157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=93157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=93157"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=93157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}