{
	"id": "7df80c94-a56b-46b2-809d-548156cb2cc0",
	"created_at": "2026-04-06T00:22:04.943965Z",
	"updated_at": "2026-04-10T13:11:26.30677Z",
	"deleted_at": null,
	"sha1_hash": "b340d5c750b8ea980e790c97c9851927a2616862",
	"title": "Endpoint Protection - Symantec Enterprise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42613,
	"plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 15:42:08 UTC\r\nShamoon (W32.Disttrack), the aggressive disk-wiping malware which was used in attacks against the Saudi\r\nenergy sector in 2012, has made a surprise comeback and was used in a fresh wave of attacks against targets in\r\nSaudi Arabia.\r\nThe malware used in the recent attacks (W32.Disttrack.B) is largely unchanged from the variant used four years\r\nago. In the 2012 attacks, infected computers had their master boot records wiped and replaced with an image of a\r\nburning US flag. The latest attacks instead used a photo of the body of Alan Kurdi, the three year-old Syrian\r\nrefugee who drowned in the Mediterranean last year.\r\nCarefully planned operation\r\nThe attackers appear to have done a significant amount of preparatory work for the operation. The malware was\r\nconfigured with passwords that appear to have been stolen from the targeted organizations and were likely used to\r\nallow the threat to spread across a targeted organization’s network. How the attackers obtained the stolen\r\ncredentials is unknown.\r\nThe malware had a default configuration that triggered the disk-wiping payload at 8:45pm local time on Thursday,\r\nNovember 17. The Saudi Arabian working week runs from Sunday to Thursday. It would appear that the attack\r\nwas timed to occur after most staff had gone home for the weekend in the hope of reducing the chance of\r\ndiscovery before maximum damage could be caused.\r\nHow Shamoon works\r\nShamoon uses a number of components to infect computers. The first component is a dropper, which creates a\r\nservice with the name ‘NtsSrv’ to remain persistent on the infected computer. It spreads across a local network by\r\ncopying itself on to other computers and will drop additional components to infected computers. The dropper\r\ncomes in 32-bit and 64-bit versions. If the 32-bit dropper detects a 64-bit architecture, it will drop the 64-bit\r\nversion.\r\nThe second component is the wiper, which drops a third component, known as the Eldos driver. This enables\r\naccess to the hard disk directly from user-mode without the need of Windows APIs. The wiper uses the Eldos\r\ndriver to overwrite the hard disk with the aforementioned photos of the Syrian boy.\r\nThe final component is the reporter. This is responsible for handling communications with a command and control\r\n(C\u0026C) server operated by the attackers. It can download additional binaries from the C\u0026C server and change the\r\npre-configured disk-wiping time if instructed by the C\u0026C server. It is also configured to send a report verifying\r\nthat a disk has been wiped to the C\u0026C server.\r\nBack with a bang\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-\r\n710b35a4cbed\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 2\n\nAlthough attacks involving destructive malware such as Shamoon are relatively rare, they can be highly disruptive\r\nfor the targeted organization, potentially knocking mission-critical computers offline.\r\nWhy Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive\r\npayload, it is clear that the attackers want their targets to sit up and take notice.\r\nProtection\r\nSymantec and Norton products protect against Shamoon with the following detections:\r\nAntivirus\r\nW32.Disttrack\r\nW32.Disttrack!gen1\r\nW32.Disttrack!gen4\r\nW32.Disttrack!gen6\r\nW32.Disttrack!gen7\r\nW32.Disttrack!gen8\r\nW32.Disttrack.B\r\nIntrusion prevention system\r\nSystem Infected: Disttrack Trojan Activity 2\r\nSystem Infected: Disttrack Trojan Activity 3\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-\r\n710b35a4cbed\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"report_names": [
		"viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"threat_actors": [],
	"ts_created_at": 1775434924,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b340d5c750b8ea980e790c97c9851927a2616862.pdf",
		"text": "https://archive.orkl.eu/b340d5c750b8ea980e790c97c9851927a2616862.txt",
		"img": "https://archive.orkl.eu/b340d5c750b8ea980e790c97c9851927a2616862.jpg"
	}
}