Security Experts:

Connect with us

Hi, what are you looking for?



Shamoon Malware Delivered via Weaponized Documents: IBM

The notorious disk-wiping malware Shamoon used macro-enabled documents and PowerShell scripts to infect targeted systems, according to IBM’s X-Force Incident Response and Intelligence Services (IRIS) team.

The notorious disk-wiping malware Shamoon used macro-enabled documents and PowerShell scripts to infect targeted systems, according to IBM’s X-Force Incident Response and Intelligence Services (IRIS) team.

Shamoon 2 was recently spotted in attacks aimed at Saudi Arabia and other states in the Persian Gulf. The malware, also known as Disttrack, has several variants, including one capable of targeting virtual desktop infrastructure (VDI) products.

An analysis conducted recently by Symantec showed that the attackers behind Shamoon, which many believe are based in Iran, may have been aided by a threat actor dubbed Greenbug. The security firm linked the Greenbug and Shamoon groups after discovering malware from both actors on the same system.

X-Force IRIS researchers have analyzed the recent waves of Shamoon attacks and determined that the initial breach likely took place weeks before the malware was deployed and activated.

It’s worth noting that, in many cases, Shamoon had been programmed to step into action at a specified time and date, typically when the targeted organization’s employees were less likely to notice its actions.

Experts believe the attackers used weaponized Office documents as an entry point. The documents contained a malicious macro which, when executed, initiated command and control (C&C) communications and deployed a remote shell via PowerShell.

The malicious files, which often included resumes and other human resources documents, were sent to targeted users via spear phishing emails. Some of the documents found by IBM referenced an Egypt-based software professional services organization named IT Worx, and Saudi Arabia’s Ministry of Commerce and Investment (MCI).

Once the document is opened and the macro is executed, PowerShell is invoked to provide a communications channel to the compromised device, allowing attackers to remotely execute commands on it.

The threat actor can use this access to deploy other tools and malware, and gain further access into the victim’s network. Once critical servers have been identified, the attackers can deploy Shamoon, which erases hard drives and causes systems to become inoperable.

The macro found in the documents executed two PowerShell scripts, including one served from a domain that had hosted a cross-platform remote access tool named Pupy. The RAT and the domain in question were also spotted during the analysis of an Iran-linked campaign dubbed “Magic Hound.”

IBM researchers believe the recent analysis and warnings issued by Saudi Arabia will likely cause the Shamoon attackers to once again disappear, like they did after the 2012 Saudi Aramco operation, and change their tactics for the next wave of attacks.

Related: Macro Malware Comes to macOS

Related: Office Loader Uses Macros to Drop Array of Malware

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.