Shamoon

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Shamoon is a malicious software (malware) known for its destructive capabilities, particularly in wiping out data from infected systems. It first gained notoriety in 2012 when it was used in an attack on Saudi Aramco, crippling approximately 30,000 systems at the company. The malware replaced the contents of the hard drives with an image of a burning American flag, rendering the workstations unusable. Iran's Islamic Revolutionary Guard Corps (IRGC) has since been linked to disruptive and destructive attacks such as the Shamoon wiper malware attacks against oil and gas companies in Saudi Arabia and Qatar. In subsequent years, multiple Saudi entities, including petrochemical firm Tasnee, a joint venture between Saudi Aramco and Dow Chemical, fell victim to Shamoon in 2016 and 2017. These attacks, often referred to as Shamoon 2, used variants of the Disttrack malware, similar to the original Shamoon. The malware was delivered in a way that resembled previous Disttrack samples, indicating a consistent modus operandi. However, despite some victims also being targeted by other threat actors like Elfin and infected with different malware such as Stonedrill, no conclusive evidence has been found to suggest Elfin's responsibility for these Shamoon attacks. Over a decade after the initial Shamoon attacks, the need for collective protection and the establishment of international cybersecurity standards and best practices has been emphasized. This comes in light of the fact that warding off potential threats cannot be the sole responsibility of a single institution or sector. Despite the relatively unsophisticated nature of wiper malware like Shamoon, their effectiveness has been repeatedly demonstrated, underscoring the importance of robust cybersecurity measures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Windows
Wiper
Malware
Iran
Dropper
Apt
iranian
Ransomware
Phishing
Fortinet
Fireeye
Symantec
Microsoft
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
StuxnetUnspecified
2
Stuxnet, a notorious malware discovered in 2010, is one of the most infamous Advanced Persistent Threat (APT) attacks in history. This military-grade cyberweapon was co-developed by the United States and Israel to specifically target Iran's nuclear enrichment facility at Natanz. The Stuxnet worm, a
Disttrackis related to
1
Disttrack, also known as Shamoon, is a destructive malware that was first identified in the cyber-attacks on Saudi Aramco and RasGas back in 2012. This malicious software is designed to infiltrate systems and cause significant damage by wiping data. The malware operates by installing a communication
Zerocleareis related to
1
ZeroCleare is a type of malware, specifically a wiper, known for its destructive capabilities. It targets computer systems and networks, rendering them unusable by deleting critical files and data. This malicious software has been linked to several actors associated with Iran's Ministry of Intellige
Dustmanis related to
1
Dustman is a destructive malware variant, specifically a wiper, that was first identified in late December 2019. This new strain of malware was discovered following incidents involving similar wipers such as ZEROCLEARE. Historically, these types of malware and their raw disk drivers were unsigned, m
AcidrainUnspecified
1
AcidRain is a malicious software, or malware, that was first described in March, following a cyberattack that disrupted approximately 10,000 satellite modems associated with communications provider Viasat's KA-SAT network. The malware was discovered by cybersecurity firm SentinelOne in February 2022
StoneDrillUnspecified
1
Stonedrill is a type of malware that can infiltrate computers or devices and cause harm by stealing personal information, disrupting operations, or holding data hostage for ransom. Stonedrill is a custom malware program that can open a backdoor on an infected computer and download additional files.
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT33has used
1
APT33, an Iran-linked threat actor, has been identified as a significant cyber threat to the Defense Industrial Base sector. The group is known for its sophisticated and malicious activities, which primarily involve executing actions with harmful intent. APT33, like other threat actors, could be a s
Lazarus GroupUnspecified
1
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
ElfinUnspecified
1
Elfin, also known by various names including Curious Serpens, Peach Sandstorm, APT33, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a significant threat actor with a track record of malicious cyber activities dating back to at least 2013. The group has been particularly active from 2016 to 2019, target
Peach SandstormUnspecified
1
Peach Sandstorm, also known as Curious Serpens, APT33, Elfin, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a threat actor group believed to be linked to the Iranian nation-state. The group has been active since at least 2013 and has previously targeted sectors such as aerospace and energy for espionag
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Disttrack WiperUnspecified
1
None
Shamoon Wiper MalwareUnspecified
1
None
Source Document References
Information about the Shamoon Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
4 months ago
Russian APT Releases More Deadly Variant of AcidRain Wiper Malware
DARKReading
7 months ago
Iranian 'Seedworm' Cyber Spies Target African Telcos & ISPs
DARKReading
8 months ago
Mideast Oil & Gas Facilities Could Face Cyber-Related Energy Disruptions
DARKReading
8 months ago
Mideast Oil & Gas Facilities Could Face Cyber-Related Energy Disruptions
DARKReading
9 months ago
Saudi Aramco CEO Warns of New Threat of Generative AI
CERT-EU
9 months ago
The Urgency for Robust Utility Cybersecurity
CERT-EU
10 months ago
The Fiji Times » Cybersecurity | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
10 months ago
Microsoft: Iranian espionage campaign targeted satellite and defense sectors
CERT-EU
a year ago
Connect the Dots on State-Sponsored Cyber Incidents - APT 33
MITRE
a year ago
APT trends report Q1 2020
MITRE
a year ago
Dragonfly: Western energy sector targeted by sophisticated attack group
MITRE
a year ago
Iran Ups its Traditional Cyber Espionage Tradecraft
MITRE
a year ago
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
MITRE
a year ago
EKANS Ransomware and ICS Operations | Dragos Dragos
MITRE
a year ago
Shamoon 3 Targets Oil and Gas Organization
MITRE
a year ago
HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine
MITRE
a year ago
OVERRULED: Containing a Potentially Destructive Adversary | Mandiant
Securelist
a year ago
Stolen certificates in two waves of ransomware and wiper attacks
DARKReading
a year ago
Wiper Malware Surges Ahead, Spiking 53% in 3 Months