{
	"id": "4c2fde61-fbf8-43d9-bafe-576648c1b4b5",
	"created_at": "2026-04-06T00:08:13.131737Z",
	"updated_at": "2026-04-10T03:21:34.880746Z",
	"deleted_at": null,
	"sha1_hash": "aec25c71f82b7134efb7ade58f05bc6eec058a6b",
	"title": "FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56978,
	"plain_text": "FireEye Responds to Wave of Destructive Cyber Attacks in Gulf\r\nRegion\r\nBy by FireEye | Advanced Malware\r\nPublished: 2016-12-01 · Archived: 2026-04-05 16:44:45 UTC\r\nThreat Research\r\nIn 2012, a suspected Iranian hacker group called the “Cutting Sword of Justice” used malware known as Shamoon\r\n– or Disttrack. In mid-November, Mandiant, a FireEye company, responded to the first Shamoon 2.0 incident\r\nagainst an organization located in the Gulf states. Since then, Mandiant has responded to multiple incidents at\r\nother organizations in the region.\r\nShamoon 2.0 is a reworked and updated version of the malware we saw in the 2012 incident. Analysis shows the\r\nmalware contains embedded credentials, which suggests the attackers may have previously conducted targeted\r\nintrusions to harvest the necessary credentials before launching a subsequent attack.\r\nFireEye HX and FireEye NX both detect Shamoon 2.0, and our Multi-Vector Virtual Execution (MVX) engine is\r\nalso able to proactively detect this malware.\r\nThe following is a summary of what we know about Shamoon 2.0 based on the samples we’ve analyzed:\r\nThe malware scans the C-class subnet of the IP it has assigned to every interface on the system for target\r\nsystems.\r\nThe malware then tries to access the ADMIN$, C$\\Windows, D$\\Windows, and E$\\Windows shares on the\r\ntarget systems with current privileges.\r\nIf current privileges aren’t enough to access the aforementioned shares, it uses hard coded, domain specific\r\ncredentials (privileged credentials, likely Domain Administrator or local Administrator) gained during an\r\nearlier phase of the attack to attempt the same.\r\nOnce it has access, it enables the Remote Registry service on the target device and sets\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\r\nto 0 to enable share access.\r\nOnce it has performed the earlier actions, it copies ntssrvr32.exe to the %WINDIR%\\system32 of the target\r\nsystem and schedules an unnamed task (e.g. At1.job) to execute the malware.\r\nThe identified malware had a hard coded date to launch the wiping. Systems infected with the malware\r\nscheduled the job to start the process shortly thereafter.\r\nThe malware sets the system clock to a random date in August 2012. Analysis suggests this might be for\r\nthe purposes of ensuring the component (a legitimate driver used maliciously) that wipes the Master Boot\r\nRecord (MBR) and Volume Boot Record (VBR) is within its test license validity period.\r\nWhile the original Shamoon malware attempted to overwrite operating system files with an image of a\r\nburning U.S. flag, the recently discovered variant attempts to overwrite Windows operating system files,\r\nhttps://web.archive.org/web/20210126065851/https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html\r\nPage 1 of 5\n\nalthough with a different image, a .JPG file depicting the death of Alan Kurdi, a Syrian child migrant who\r\ndied while attempting to cross the Mediterranean Sea.\r\nThe following is guidance for detecting the malware, counteracting its activity, and attempting to prevent it from\r\npropagating in an environment. Please note that performing any of these actions could have a negative effect and\r\nshould not be implemented without proper review and study of the impact of the environment.\r\nMonitor any events in the SIEM that show dates in August 2012.\r\nMonitor for system time change events that set the clock back to and from August 2012.\r\nMonitor for Remote Registry service starts.\r\nMonitor for changes to the aforementioned registry key value, if the value is currently non-zero.\r\nPrevent and limit access to the aforementioned shares, which could have significant impact based on setup.\r\nPrevent client-to-client communication to slow down the spread of the malware, which could also have a\r\nsignificant impact based on setup.\r\nMonitor filesystems for the creation of any of the filenames provided in the Indicators of Compromise list\r\nat the bottom of the post.\r\nChange the credentials of all privileged accounts and ensure local Administrator passwords are unique per\r\nsystem.\r\nIndicators of Compromise\r\nThe following is a set of the Indicators of Compromise for the identified Shamoon variant. We recommend that\r\ncritical infrastructure organizations and government agencies (especially those in the Gulf Cooperation Council\r\nregion) check immediately for the presence or execution of these files within their Windows Server and\r\nWorkstation environments. Additionally, we recommend that all customers continue to regularly review and test\r\ndisaster recovery plans for critical systems within their environment.\r\nFile name: ntssrvr64.exe\r\nPath: %SYSTEMROOT%\\System32\r\nCompile Time: 2009/02/15 12:32:19\r\nFile size:717,312\r\nFile name: ntssrvr32.exe\r\nPath: %SYSTEMROOT%\\System32 NA NA\r\nFile size: 1,349,632\r\nFile name: ntssrvr32.bat\r\nPath: %SYSTEMROOT%\\System32 NA\r\nMD5: 10de241bb7028788a8f278e27a4e335f\r\nFile size: 160\r\nFile name: gpget.exe\r\nPath: %SYSTEMROOT%\\System32\r\nPE compile time: 2009/02/15 12:30:41\r\nhttps://web.archive.org/web/20210126065851/https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html\r\nPage 2 of 5\n\nMD5: c843046e54b755ec63ccb09d0a689674\r\nFile Size: 327,680\r\nFile name: drdisk.sys\r\nPath: %SYSTEMROOT%\\System32\\Drivers\r\nCompile time: 2011/12/28 16:51:29\r\nMD5: 76c643ab29d497317085e5db8c799960\r\nFile Size: 31,632\r\nFile name: key8854321.pub\r\nPath: %SYSTEMROOT%\\System32\r\nMD5: b5d2a4d8ba015f3e89ade820c5840639 782\r\nFile name: netinit.exe\r\nPath: %SYSTEMROOT%\\System32\r\nMD5: ac4d91e919a3ef210a59acab0dbb9ab5\r\nFile Size: 183,808\r\nService Details\r\nDisplay name: \"Microsoft Network Realtime Inspection Service\"\r\nService name: \"NtsSrv\"\r\nDescription: \"Helps guard against time change attempts targeting known and newly discovered vulnerabilities in\r\nnetwork time protocols\"\r\nFiles created:\r\n%WINDIR%\\inf\\usbvideo324.pnf\r\n%WINDIR%\\system32\\netinit.exe\r\nDynamic Analysis Observables\r\nRegistryItem HKLM\\SYSTEM\\CurrentControlSet\\Services\\NtsSrv\\\r\nRegistryItem HKLM\\SYSTEM\\ControlSet001\\Services\\NtsSrv\\\r\nRegistryItem HKLM\\SYSTEM\\CurrentControlSet\\Services\\wow32\\\r\nRegistryItem HKLM\\SYSTEM\\ControlSet001\\Services\\wow32\\\r\nRegistryItem HKLM\\SYSTEM\\CurrentControlSet\\Services\\drdisk\\\r\nRegistryItem HKLM\\SYSTEM\\ControlSet001\\Services\\drdisk\\\r\nFileItem C:\\Windows\\System32\\caclsrv.exe\r\nFileItem C:\\Windows\\System32\\certutl.exe\r\nFileItem C:\\Windows\\System32\\clean.exe\r\nhttps://web.archive.org/web/20210126065851/https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html\r\nPage 3 of 5\n\nFileItem C:\\Windows\\System32\\ctrl.exe\r\nFileItem C:\\Windows\\System32\\dfrag.exe\r\nFileItem C:\\Windows\\System32\\dnslookup.exe\r\nFileItem C:\\Windows\\System32\\dvdquery.exe\r\nFileItem C:\\Windows\\System32\\event.exe\r\nFileItem C:\\Windows\\System32\\extract.exe\r\nFileItem C:\\Windows\\System32\\findfile.exe\r\nFileItem C:\\Windows\\System32\\fsutl.exe\r\nFileItem C:\\Windows\\System32\\gpget.exe\r\nFileItem C:\\Windows\\System32\\iissrv.exe\r\nFileItem C:\\Windows\\System32\\ipsecure.exe\r\nFileItem C:\\Windows\\System32\\msinit.exe\r\nFileItem C:\\Windows\\System32\\netx.exe\r\nFileItem C:\\Windows\\System32\\ntdsutl.exe\r\nFileItem C:\\Windows\\System32\\ntfrsutil.exe\r\nFileItem C:\\Windows\\System32\\ntnw.exe\r\nFileItem C:\\Windows\\System32\\power.exe\r\nFileItem C:\\Windows\\System32\\rdsadmin.exe\r\nFileItem C:\\Windows\\System32\\regsys.exe\r\nFileItem C:\\Windows\\System32\\routeman.exe\r\nFileItem C:\\Windows\\System32\\rrasrv.exe\r\nFileItem C:\\Windows\\System32\\sacses.exe\r\nFileItem C:\\Windows\\System32\\sfmsc.exe\r\nFileItem C:\\Windows\\System32\\sigver.exe\r\nFileItem C:\\Windows\\System32\\smbinit.exe\r\nFileItem C:\\Windows\\System32\\wcscript.exe\r\nhttps://web.archive.org/web/20210126065851/https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html\r\nPage 4 of 5\n\nSource: https://web.archive.org/web/20210126065851/https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html\r\nhttps://web.archive.org/web/20210126065851/https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20210126065851/https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html"
	],
	"report_names": [
		"fireeye_respondsto.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434093,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aec25c71f82b7134efb7ade58f05bc6eec058a6b.pdf",
		"text": "https://archive.orkl.eu/aec25c71f82b7134efb7ade58f05bc6eec058a6b.txt",
		"img": "https://archive.orkl.eu/aec25c71f82b7134efb7ade58f05bc6eec058a6b.jpg"
	}
}