Security Experts:

Connect with us

Hi, what are you looking for?



Shamoon 3 Wiper Code Includes Verse From Quran

Researchers continue to analyze the recent Shamoon 3 attacks and they have discovered more links to Iran and additional components of the malware.

Researchers continue to analyze the recent Shamoon 3 attacks and they have discovered more links to Iran and additional components of the malware.

Several Shamoon 3 samples have been identified recently and they are said to have been used in attacks aimed at organizations in the Middle East and elsewhere. According to cybersecurity firms, the attackers targeted the Middle Eastern assets of Italian oil and gas services company Saipem, along with some organizations in Saudi Arabia and the United Arab Emirates. McAfee reported seeing victims in the oil, gas, telecom, energy and government sectors.

Symantec noted in its initial analysis of the Shamoon 3 attacks that a Saudi Arabian organization hit by the malware had recently also been targeted by an Iran-linked threat group known as APT33 and Elfin. The same entity also had some systems infected with a Shamoon-linked piece of malware tracked as Stonedrill.

In a blog post published on Wednesday, McAfee said it believes that APT33 – or a group impersonating APT33 – is likely behind the Shamoon 3 attacks. This conclusion is based on a comparison between the tools and domains used in Shamoon 3 attacks and the ones detailed by FireEye in its first report describing the activities of APT33.

It’s worth noting that an analysis conducted by Symantec last year concluded that multiple groups had cooperated in previous Shamoon attacks so it’s possible that more than one team was also behind the latest wave of attacks.

Both McAfee and Palo Alto Networks have conducted a detailed analysis of the components used in the latest Shamoon campaign.

Researchers from these companies have identified a loader component, which executes a spreader that helps the attackers deliver the wiper to other systems on the compromised network. The spreader uses information stored in text files to move laterally within the network – the information from the text files was likely collected during reconnaissance activities. Another component is used to remotely execute the wiper on compromised systems.

The wiper itself, which overwrites files with random data, was not seen in previous Shamoon attacks, which involved a wiper tracked as DistTrack. Hidden in a file named SlHost.exe, the Trojan is written in C# and it’s based on an open source Windows tool named SuperDelete, which allows users to delete files and directories with very long paths.

Palo Alto Networks researchers explained that the wiper does not use all the functionality included in SuperDelete. However, the attackers did add some ASCII art representing a verse from the Quran written in Arabic. The verse translates to “Perish the two hands of Abu Lahab ‘father of flames’ (an uncle of prophet peace be upon him) and Perish he!”

Shamoon 3 ASCII art

Interestingly, the ASCII art is never actually displayed to the victim due to how the wiper is programmed, and instead it can only be seen by individuals performing a code analysis of the malware.

“The religiously charged message within the wiper Trojan is interesting, as it acts as a message that may point to the adversary’s motivations,” Palo Alto Networks’ Robert Falcone explained. “We have potentially tied the use of this wiper to the Shamoon 3 incident involving the Disttrack wiper, which in the past has used politically charged images to overwrite files in Shamoon and Shamoon 2 attacks. This also suggests that the adversaries involved in the Shamoon attacks have additional wipers in their toolset to complement the Disttrack Trojan.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack