{ "id": "0df06031-09da-4866-87e5-175f21e14e38", "created_at": "2026-04-06T00:14:31.17106Z", "updated_at": "2026-04-10T03:34:00.395461Z", "deleted_at": null, "sha1_hash": "c38b1d51363d56d47ee4794f35f8e1e665403dfd", "title": "Endpoint Protection - Symantec Enterprise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55313, "plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 18:28:01 UTC\r\nRecent attacks involving the destructive malware Shamoon (W32.Disttrack.B) were launched by attackers\r\nconducting a much wider campaign in the Middle East. While the attackers have compromised multiple targets in\r\nthe region, only selected targets in Saudi Arabia were infected with Shamoon.\r\nOn February 15, publications from IBM (The Full Shamoon) and Palo Alto (Magic Hound) separately discussed a\r\npersistent attack campaign operating primarily in the Middle East with links to Shamoon. This campaign was\r\nconducted by a group we identify as Timberworm. The group appears to have facilitated the third wave of\r\ndestructive attacks involving Shamoon in January 2017. Timberworm operates in the Middle East and beyond.\r\nOnly specific organizations affiliated with Saudi Arabia appear to have been earmarked for destructive wiping\r\nattacks.\r\nDuring the January attacks, Symantec discovered a high correlation between Timberworm and the presence of\r\nShamoon in a number of organizations in Saudi Arabia. Timberworm appears to have gained access to these\r\norganizations’ networks weeks and, in some cases, months before the Shamoon attacks occurred. Once on the\r\nnetwork, the attackers' primary goal appeared to be similar to Greenbug (an actor previously discussed in relation\r\nto the November 17 wave of attacks): detailed network reconnaissance, credential harvesting, and persistent\r\nremote access.\r\nWhen Timberworm had sufficient access to a number of high value organizations, Shamoon was then\r\npreconfigured with a wipe date and the necessary credentials to maximize the overall impact during a coordinated\r\nattack. This procedure is consistent with what was observed during Greenbug operations prior to the November 17\r\nattacks, which may indicate that multiple groups are cooperating to facilitate these destructive attacks, possibly at\r\nthe direction of a single entity.\r\nStage 1: Timberworm recon\r\nTimberworm’s carefully planned operation saw the attackers send spear phishing emails to individuals at targeted\r\norganizations. In some cases, the emails contained Microsoft Word or Excel files as attachments. In others, the\r\nemails contained malicious links, which if clicked, downloaded similar Word or Excel files.\r\nComputer network exploitation\r\nOpening the document invoked PowerShell from a malicious macro, which provided the attackers with remote\r\naccess to the compromised computer. Some basic reconnaissance was then performed using existing system tools\r\nto determine if the target was of interest. Once Timberworm was satisfied, it then deployed custom malware,\r\nhacktools, and software traditionally used in system/network administration. Some of the tools deployed during\r\nthese attacks included:\r\nPsExec, a tool for executing processes on other systems from Microsoft Sysinternals\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-\r\nfa92a712ecd9\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 4\n\nPAExec, a free re-implementation of PsExec from Poweradmin\r\nNetscan, a multipurpose IPv4/IPv6 network scanner\r\nSamdump, a hacking tool that dumps Windows password hashes\r\nMimikatz (Hacktool.Mimikatz), a hacking tool to harvest credentials\r\nTightVNC, an open-source remote desktop access application\r\nPlink, a command line network connection tool supporting encrypted communications\r\nRar, archiving utility for compressing files before ex-filtration.\r\nDuring this phase, once the attacker appeared to have achieved the desired level of network access, Plink was\r\nexecuted to provide an additional avenue of remote access (Fex reverse RDP over SSH connections). This pattern\r\nof activity is also consistent with what was observed during Greenbug operations in 2016, before the eventual\r\ndeployment of Shamoon.\r\nStage 2: Shamoon destruction\r\nAt this point the attackers configured the Shamoon payloads per organization and then coordinated the attacks on\r\na pre-determined date. In the January 23 attacks Symantec observed consistent usage of PAExec across numerous\r\norganizations to initially deploy W32.Disttrack.B. After it was deployed, it would self-propagate and wipe\r\naccessible computers across the network.\r\nMultiple teams cooperating?\r\nTimberworm appears to be a much larger operation, infiltrating a much broader range of organizations beyond\r\nthose affected by the recent Shamoon attacks. Similarly, Greenbug targeted a range of organizations in the Middle\r\nEast beyond those affected by Shamoon, including companies in the aviation, energy, government, investment,\r\nand education sectors. While both groups leveraged two distinct toolsets, their targets, tactics, and procedures\r\nalign very well and in close proximity to the coordinated wiping events.\r\n“Living off the land”\r\nThe Shamoon attacks illustrate how a growing number of targeted attack groups are relying on common-off-the-shelf tools to compromise targets. The Shamoon attackers managed to get access to targets’ networks using\r\nsocially engineered spear-phishing emails and abusing Office macros and PowerShell to gain initial footholds. In\r\nparticular, the use of PowerShell has been a popular tactic of late. Recent Symantec research found a total of 111\r\nmalware families that use the PowerShell command line. More than 95 percent of the PowerShell scripts analyzed\r\nthrough the BlueCoat Malware Analysis sandbox were found to be malicious.\r\nThe appeal of “living off the land” is obvious. Attackers believe malicious activity will be more difficult to detect\r\nif legitimate tools are involved and malware use is kept to a minimum. The use of legitimate tools may also serve\r\nto thwart attribution to specific actors.\r\nProtection\r\nSymantec and Norton products protect against Shamoon with the following detections:\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-\r\nfa92a712ecd9\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 4\n\nAntivirus:\r\nW32.Disttrack\r\nW32.Disttrack!gen1\r\nW32.Disttrack!gen4\r\nW32.Disttrack!gen6\r\nW32.Disttrack!gen7\r\nW32.Disttrack!gen8\r\nW32.Disttrack.B\r\nBackdoor.Mhretriev\r\nHacktool.Mimikatz\r\nIntrusion prevention system:\r\nSystem Infected: Disttrack Trojan Activity 2\r\nSystem Infected: Disttrack Trojan Activity 3\r\nIndicators of compromise\r\nNetscan\r\nMD5\r\n1ef78a72e4957c04197992bab2f86335\r\nSHA256\r\n63d51bc3e5cf4068ff04bd3d665c101a003f1d6f52de7366f5a2d9ef5cc041a7\r\nTightVNC\r\nMD5\r\na2ff24322c12558eb1f29aea3ca6f24a\r\nSHA256\r\n1ba26bcd857944b0486a76928f41f74d91dad492b46ea93c4ca246a0503cdaae\r\nHacktool.Mimikatz\r\nMD5\r\na9ae14b298fb12fad76347ff8f61dd40 (x86)\r\n27552cd0d24cb1eb59259d2acd7181bf (x64)\r\nSHA256\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-\r\nfa92a712ecd9\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 4\n\n0de2b74ff045f7c1af2d42aaf00aa98d44351850a968faf7b37bfa650684003c (x86)\r\n28290b9475c62039dda26b64e45f3e14815b6acd9ed49156a14e361df0524af8 (x64)\r\nPAExec\r\nMD5\r\n22e9853298c96b1ab89d8f71c4e82302\r\nSHA256\r\n01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=5758557d-6e3a-4174-90f3-fa92a712ecd9\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-\r\nfa92a712ecd9\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "report_names": [ "viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e58deb93-aff1-4be5-8deb-37fe8af0b7ed", "created_at": "2022-10-25T16:07:23.918534Z", "updated_at": "2026-04-10T02:00:04.789509Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [ "Greenbug", "Volatile Kitten" ], "source_name": "ETDA:Greenbug", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "25896473-161f-411f-b76a-f11bb26c96bd", "created_at": "2023-01-06T13:46:38.75749Z", "updated_at": "2026-04-10T02:00:03.090307Z", "deleted_at": null, "main_name": "CHRYSENE", "aliases": [ "Greenbug" ], "source_name": "MISPGALAXY:CHRYSENE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b0261705-df2e-4156-9839-16314250f88a", "created_at": "2023-01-06T13:46:38.373617Z", "updated_at": "2026-04-10T02:00:02.947842Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm", "TEMP.Beanie", "Operation Woolen Goldfish" ], "source_name": "MISPGALAXY:Rocket Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bba8e81-73af-4010-86dc-d43c408ca342", "created_at": "2023-01-06T13:46:38.553459Z", "updated_at": "2026-04-10T02:00:03.021597Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [], "source_name": "MISPGALAXY:Greenbug", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434471, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c38b1d51363d56d47ee4794f35f8e1e665403dfd.pdf", "text": "https://archive.orkl.eu/c38b1d51363d56d47ee4794f35f8e1e665403dfd.txt", "img": "https://archive.orkl.eu/c38b1d51363d56d47ee4794f35f8e1e665403dfd.jpg" } }