{ "id": "46f3edde-644e-498f-8313-f69374dbc86b", "created_at": "2026-04-06T00:18:57.235991Z", "updated_at": "2026-04-10T13:12:17.23493Z", "deleted_at": null, "sha1_hash": "ef69a55bcde167f26771a40036d65654b497c1a1", "title": "Shamoon 3 Targets Oil and Gas Organization", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72153, "plain_text": "Shamoon 3 Targets Oil and Gas Organization\r\nBy Robert Falcone\r\nPublished: 2018-12-13 · Archived: 2026-04-05 17:45:17 UTC\r\nSummary\r\nOn December 10,  a new variant of the Disttrack malware was submitted to VirusTotal\r\n(SHA256:c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f) that shares a considerable amount of\r\ncode with the Disttrack malware used in the Shamoon 2 attacks in 2016 and 2017 that we previously published here, here,\r\nand here. While we could not identify the impacted organization from the malware, today Saipem disclosed they were\r\nattacked. In previous attacks, we were able to determine the impacted organization based on the domain names and\r\ncredentials used by the Disttrack tool to spread to other systems on the network. However, that functionality was missing\r\nfrom this sample. Unlike past Shamoon attacks, this particular Disttrack wiper would not overwrite files with an image.\r\nInstead it would overwrite the MBR, partitions, and files on the system with randomly generated data.\r\nAccording to a press release,  Saipem confirmed that they experienced a cyberattack that involved a variant of the Shamoon\r\nmalware. The attack caused infrastructure and data availability issues, forcing the organization to carry out restoration\r\nactivities. Saipem told Reuters that 300 systems on their network were crippled by the malware related to the 2012 Shamoon\r\nattacks. While we cannot definitively confirm that Saipem was the impacted organization, the timing of this incident with\r\nthe emergence of the Disttrack sample discussed in this blog is quite coincidental.\r\nDropper\r\nThe sample submitted to VirusTotal is a Disttrack dropper, which is responsible for installing a communications and wiper\r\nmodule to the system. The dropper is also responsible for spreading to other systems on the same local network, which it\r\naccomplishes by attempting to log into other systems on the network remotely using previously stolen usernames and\r\npasswords. Unfortunately, this particular sample does not contain any domains, usernames, or passwords to perform this\r\nspreading functionality, so this sample would only run on the system in which it was specifically executed.\r\nThe dropper has a hardcoded kill time of '12/7/17 23:51'; if the system date is after this date the dropper installs the wiper\r\nmodule and starts wiping files on the system. The dropper reads the '%WINDOWS%\\inf\\mdmnis5tQ1.pnf' file to obtain a\r\ncustom kill date that it will use instead of the hardcoded time. The communications module installed by the dropper writes to\r\nthis file, which will be discussed in a later section. The dropper also decrypts a string '\\inf\\averbh_noav.pnf' that is the other\r\nfile that the communications module uses to write system information to and if the wiper was able to successfully wipe the\r\nsystem, but the dropper does not appear to use this file.\r\nThe dropper has three resources, two of which contain embedded modules, specifically a communications module and a\r\nwiper module. The third resource contains an x64 variant of the dropper, which it will use if the architecture of the system is\r\ndetermined to be x64. The resources have a language set to ‘SUBLANG_ARABIC_YEMEN’ that was also found in the\r\nprevious Disttrack samples used in Shamoon 2 attacks. The resource names are PIC, LNG, and MNU, which are slightly\r\naltered versions of the ICO, LANG, and MENU names found in previous samples.\r\nThe dropper extracts modules from these resources by seeking a specific offset and reading a specific number of bytes as the\r\nlength of the ciphertext. The dropper then decrypts the ciphertext by using an XOR cipher and a specific base64 encode\r\nstring that is decoded and used as the key. Before accessing the ciphertext, the dropper subtracts 14 from the specified offset,\r\nwhich is the same as previous Disttrack samples delivered in Shamoon 2 attacks. Tables 1, 2, and 3 include the resources,\r\nthe information used to extract them, and the resulting module.\r\nResource\r\nname\r\nPIC\r\nDescription x64 variant of Dropper\r\nBase64\r\nKey\r\n2q9BQGHGVktPVIMZ6Nx17Njp4B5mHgj51hbybNInRWsNIWniq6hOYvf5CksMXvPOyl/3dYKDn7ymSGlK0+l5KA8YC8dzkkAwm\r\nOffset 8786-14\r\nLength 983552\r\nSHA256 of\r\nCleartext\r\n0975eb436fb4adb9077c8e99ea6d34746807bc83a228b17d321d14dfbbe80b03\r\nTable 1 Resource containing the x64 variant of the Disttrack dropper\r\nhttps://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/\r\nPage 1 of 5\n\nResource\r\nname MNU\r\nDescription Communications module\r\nBase64\r\nKey\r\nU3JGgjNUDzWJEpOxzuwHjOijgav56cZatHh98dLbazGIBe7UMOcvdyCvU5/8mH1n7jUcMSIPFmqr7M671h5jradiKMn9M1sBdAmK\r\nOffset 8601-14\r\nLength 266752\r\nSHA256 of\r\nCleartext\r\n0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe\r\nTable 2 Resource containing the communications module in the Disttrack dropper\r\nResource\r\nname\r\nLNG\r\nDescription Wiper module\r\nBase64\r\nKey\r\ncb5F91PLTu1hN8oPgG2a6AQiJkphsXAmWFarsUoYEFo/BNgxF8Rj/hdzHxW/k/fLCZboSJRLnr9OH578IJyiSSdvz3uUaNA/vycy7ZJ\r\nOffset 7892-14\r\nLength 402432\r\nSHA256 of\r\nCleartext\r\n391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c\r\nTable 3 Resource containing the wiper module within the Disttrack dropper\r\nThe dropper will install itself to the system (and remote systems if spreading was possible) by creating a service with the\r\nattributes listed in Table 4 below.\r\nService name MaintenaceSrv\r\nService\r\ndisplay name\r\nMaintenace Host Service\r\nService\r\ndescription\r\nThe Maintenace Host service is hosted in the LSA process. The service provides key process isolation\r\nto private keys and associated cryptographic operations as required by the Common Criteria. The\r\nservice stores and uses long-lived keys in a secure process compl\\x1d\r\nBinary path MaintenaceSrv32.exe or MaintenaceSrv64.exe\r\nTable 4 Service created by the Disttrack dropper\r\nThe dropper chooses a random name when installing the communication and wiper modules to the system. The\r\ncommunications module will have one of the following filenames with the ‘exe’ file extension:\r\nnetnbdrve\r\nprnod802\r\nnetrndiscnt\r\nnetrtl42l\r\nmdmadccnt\r\nprnca00\r\nbth2bht_ibv32\r\ncxfalcon_ibL32\r\nmdmsupr30\r\ndigitalmediadevicectl\r\nmdmetech2dmv\r\nnetb57vxx\r\nwinwsdprint\r\nprnkwy005\r\ncomposite005\r\nmdmar1_ibv32\r\nprnle444\r\nhttps://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/\r\nPage 2 of 5\n\nkscaptur_ibv32\r\nmdmzyxlga\r\nusbvideob\r\ninput_ibv48\r\nprnok002_ibv\r\naverfx2swtvZ\r\nwpdmtp_ibv32\r\nmdmti_ibv32\r\nprintupg_ibv32\r\nwiabr788\r\nThe wiper module will have one of the following filenames with the ‘exe’ file extension:\r\n_wialx002\r\n__wiaca00a\r\ntsprint_ibv\r\nacpipmi2z\r\nprnlx00ctl\r\nprngt6_4\r\narcx6u0\r\n_tdibth\r\nprncaz90x\r\nmdmgcs_8\r\nmdmusrk1g5\r\nnetbxndxlg2\r\nprnsv0_56\r\naf0038bdax\r\naverfix2h826d_noaverir\r\nmegasasop\r\nhidirkbdmvs2\r\nvsmxraid\r\nmdamx_5560\r\nwiacnt7001\r\nWiper\r\nThe wiper module (SHA256: 391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c) that the dropper\r\nwrites to the system is responsible for overwriting the data within the MBR, partitions, and files on the system. The wiper\r\ncarries out this wiping using a legitimate hard disk driver called RawDisk by ElDos. The wiper contains the ElDos RawDisk\r\ndriver in a resource named 'e' that it extracts by skipping to offset 1984 and reading 27792 bytes from that offset. It then\r\ndecrypts the data using aa 247-byte key and saves it to ‘%WINDOWS%\\system32\\hdv_725x.sys’. The wiper then creates a\r\nservice named ‘hdv_725x’ for this driver using the following command line command and runs it with \"sc start hdv_725x\":\r\nsc create hdv_725x type= kernel start= demand binpath= %WINDOWS%\\system32\\hdv_725x.sys\r\nThis wiper was configured using the ‘R’ flag, which generates a buffer of random bytes that it will use to overwrite the\r\nMBR, partitions and files. The sample supports two additional configuration flags as well, specifically ‘F’ and ‘E’ flags that\r\nwill either overwrite files using a file or encrypt its contents.\r\nThe wiper could be configured to use a file to overwrite the files on the disk using the ‘F’ configuration flag, as we saw\r\nimages used to overwrite files in previous Shamoon attacks. This file would be stored in a resource named ‘GRANT’, but\r\nthis particular wiper is not configured to use a file for overwriting so the GRANT resource does not exist. If it were\r\nconfigured to use a file, this sample would extract the file using the information listed in Table 5.\r\nResource\r\nname\r\nGRANT\r\nDescription File to overwrite within Wiper module\r\nBase64\r\nKey\r\nheocXOK4rDmQg4LRfiURI9wSOuSMwe0e69NfEpZLmyNixiUGYdEtpx/ZG3rMRN7GZlJ1/crQTz5Bf6W0xgkyYCwzD247FolCGA\r\nOffset 71-14\r\nLength \u003cunknown\u003e\r\nSHA256 of\r\nCleartext\r\n\u003cunknown\u003e\r\nhttps://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/\r\nPage 3 of 5\n\nTable 5 Resource in wiper module that would contain file to use for overwriting data\r\nThis sample is also capable of being configured to import an RSA key to encrypt the MBR, partitions, and files via\r\nconfiguration flag ‘E’. This sample was not configured to encrypt files, and the RSA key is empty in the wiper.\r\nAfter completing this wiping functionality, the sample will reboot the system using the following command line, which will\r\nrender it unusable when the system reboots as the important system locations and files have been overwritten with random\r\ndata:\r\nshutdown -r -f -t 2\r\nCommunications\r\nThe communications module (SHA256: 0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe)\r\ndropped by the Disttrack dropper will use the following two supporting files:\r\n%WINDOWS%\\inf\\mdmnis5tQ1.pnf - Used to set a wipe date for associated wiper module\r\n%WINDOWS%\\inf\\averbh_noav.pnf - Used to mark successful wiping\r\nThe communications module is responsible for reaching out to hardcoded URLs to communicate with the C2 server, but like\r\nprevious Disttrack samples, this communication module does not contain functional C2 domains to use in the URLs. If it\r\ndid, it would create a URL with a parameter named 'selection' followed by system information and the contents of the\r\n'averbh_noav.pnf' file, as seen here:\r\n[C2 URL, empty]?selection=[system info and contents of averbh_noav.pnf]\r\nWhen communicating with the C2 URL, the communications module would use a User Agent of 'Mozilla/13.0 (MSIE 7.0;\r\nWindows NT 6.0)', which is the same as past Disttrack communication module samples. Table 6 below show the two\r\ncommands the C2 could respond with that the communications module could handle.\r\nCommand Description\r\nE\r\nReads base64 encoded file from the C2 server, runs 'del /f /a %TEMP%\\Temp\\reilopycb\\*.exe' to delete\r\npreviously downloaded executables, runs 'mkdir %TEMP%\\Temp\\reilopycb] \u003e nul 2\u003e\u00261' to create a\r\nfolder and saves the executbale to a file named '[tick count].exe'. The Trojan then runs the downloaded\r\nexecutable %TEMP%\\Temp\\reilopycb\\[tick count].exe'\r\nT\r\nOpens the '\\inf\\mdmnis5tQ1.pnf' file and writes a supplied date to the file. The '\\inf\\mdmnis5tQ1.pnf' file\r\nis used by another associated module to this communications module that is responsible for wiping the\r\nsystem.\r\nTable 6 Commands available within the communication module's command handler\r\nConclusion\r\nThe Disttrack sample uploaded to VirusTotal is a variant of the samples used in the Shamoon 2 attacks in 2016 and 2017.\r\nThe tool does not have the capability to spread to other systems on the local network. Instead it would have to be loaded\r\nonto and executed on the system that the actors intend to wipe. The wipe date of '12/7/2017' does not seem timely. However,\r\nthis older date is still effective as the Disttrack dropper will install and run the wiper module as long as the system date is\r\nafter the wipe date. Unlike past Shamoon attacks, this particular Disttrack wiper would not overwrite files with an image.\r\nInstead, it would overwrite the MBR, partitions and files on the system with random data. While we can’t confirm this\r\nsample was used in the Saipem attack, it is likely at least related to it.\r\nPalo Alto Networks customers are protected from this threat:\r\nWildFire detects all samples associated with this attack with malicious verdicts\r\nAutoFocus customers can track this attack and previous Shamoon attacks using the Disttrack\r\nIndicators of Compromise\r\nc3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f - Disttrack Dropper x86\r\n0975eb436fb4adb9077c8e99ea6d34746807bc83a228b17d321d14dfbbe80b03 - Disttrack Dropper x64\r\n0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe - Disttrack Comms module x86\r\n391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c - Disttrack Wiper module x86\r\n6985ef5809d0789eeff623cd2436534b818fd2843f09fa2de2b4a6e2c0e1a879 - ElDos RawDisk Driver x86\r\nccb1209122085bed5bded3f923835a65d3cc1071f7e4ad52bc5cf42057dd2150 - Disttrack Comms module x64\r\nhttps://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/\r\nPage 4 of 5\n\ndab3308ab60d0d8acb3611bf364e81b63cfb6b4c1783864ebc515297e2297589 - Disttrack Wiper module x64\r\nbc4513e1ea20e11d00cfc6ce899836e4f18e4b5f5beee52e0ea9942adb78fc70 - ElDos RawDisk Driver x64\r\nSource: https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/\r\nhttps://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/" ], "report_names": [ "shamoon-3-targets-oil-gas-organization" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434737, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ef69a55bcde167f26771a40036d65654b497c1a1.pdf", "text": "https://archive.orkl.eu/ef69a55bcde167f26771a40036d65654b497c1a1.txt", "img": "https://archive.orkl.eu/ef69a55bcde167f26771a40036d65654b497c1a1.jpg" } }