Connect with us

Hi, what are you looking for?



Shamoon 3 Wiper Code Includes Verse From Quran

Researchers continue to analyze the recent Shamoon 3 attacks and they have discovered more links to Iran and additional components of the malware.

Researchers continue to analyze the recent Shamoon 3 attacks and they have discovered more links to Iran and additional components of the malware.

Several Shamoon 3 samples have been identified recently and they are said to have been used in attacks aimed at organizations in the Middle East and elsewhere. According to cybersecurity firms, the attackers targeted the Middle Eastern assets of Italian oil and gas services company Saipem, along with some organizations in Saudi Arabia and the United Arab Emirates. McAfee reported seeing victims in the oil, gas, telecom, energy and government sectors.

Symantec noted in its initial analysis of the Shamoon 3 attacks that a Saudi Arabian organization hit by the malware had recently also been targeted by an Iran-linked threat group known as APT33 and Elfin. The same entity also had some systems infected with a Shamoon-linked piece of malware tracked as Stonedrill.

In a blog post published on Wednesday, McAfee said it believes that APT33 – or a group impersonating APT33 – is likely behind the Shamoon 3 attacks. This conclusion is based on a comparison between the tools and domains used in Shamoon 3 attacks and the ones detailed by FireEye in its first report describing the activities of APT33.

It’s worth noting that an analysis conducted by Symantec last year concluded that multiple groups had cooperated in previous Shamoon attacks so it’s possible that more than one team was also behind the latest wave of attacks.

Both McAfee and Palo Alto Networks have conducted a detailed analysis of the components used in the latest Shamoon campaign.

Researchers from these companies have identified a loader component, which executes a spreader that helps the attackers deliver the wiper to other systems on the compromised network. The spreader uses information stored in text files to move laterally within the network – the information from the text files was likely collected during reconnaissance activities. Another component is used to remotely execute the wiper on compromised systems.

The wiper itself, which overwrites files with random data, was not seen in previous Shamoon attacks, which involved a wiper tracked as DistTrack. Hidden in a file named SlHost.exe, the Trojan is written in C# and it’s based on an open source Windows tool named SuperDelete, which allows users to delete files and directories with very long paths.

Advertisement. Scroll to continue reading.

Palo Alto Networks researchers explained that the wiper does not use all the functionality included in SuperDelete. However, the attackers did add some ASCII art representing a verse from the Quran written in Arabic. The verse translates to “Perish the two hands of Abu Lahab ‘father of flames’ (an uncle of prophet peace be upon him) and Perish he!”

Shamoon 3 ASCII art

Interestingly, the ASCII art is never actually displayed to the victim due to how the wiper is programmed, and instead it can only be seen by individuals performing a code analysis of the malware.

“The religiously charged message within the wiper Trojan is interesting, as it acts as a message that may point to the adversary’s motivations,” Palo Alto Networks’ Robert Falcone explained. “We have potentially tied the use of this wiper to the Shamoon 3 incident involving the Disttrack wiper, which in the past has used politically charged images to overwrite files in Shamoon and Shamoon 2 attacks. This also suggests that the adversaries involved in the Shamoon attacks have additional wipers in their toolset to complement the Disttrack Trojan.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.