By Invitation Only: Shamoon, a Case Study

It’s early morning and you’re bleary-eyed at your desk, sipping some coffee. You open your email and a sea of unread emails is there to greet you. As you comb through these emails, you come across one from a vaguely unfamiliar address that asks you to take a look at a word doc. Maybe you’re tired, bored, or otherwise occupied with a bigger workload on your mind, but you skim the email and open up the attachment.


Even though it’s a Microsoft Word Document that looks harmless, you might have just invited a fox into the chicken coop. Regardless of whether the contents are a resume, a brochure, or anything else, the object of concern lies in what the doc contains: a malicious macro that paves the way for the Shamoon virus.

What is Shamoon?

Shamoon is best known for its devastating attacks against the Saudi energy sector in 2012 that wiped tens of thousands of computers by overwriting the master boot record. It returned in November 2016, when it hit at least six government entities in Saudi Arabia again, this time utilizing the photograph of Alan Kurdi, the 3-year-old Syrian refugee who drowned.

From Doc to Destruction

IBM’s X-Force IRIS team investigated the case of Shamoon and found the virus’ entry to be a Word document that contained a malicious macro that, when approved to run, would effectively enable the attackers to infiltrate the network by establishing communications to the attacking server and remote shell via something called PowerShell.

Basically, what happened was that the attackers sent a spear phishing email to employees at the target organization. In order for this first step to succeed, all that was required was a person within the company to open the attachment. As soon as the attachment is opened, it invokes PowerShell, which enables command access to the computer. Thus, the hackers are now able to communicate with the machine and remotely execute commands on it.

Figure 1. Example Document of what Saudi Employees may have seen (SOURCE: X-Force IRIS)

With such access, the attackers could send additional tools and malware to other places on the network, which would familiarize them enough with the network to be able to mass-deploy the Shamoon virus, thus taking down thousands of computers.

How could this have been prevented?

Security is only as strong as its weakest link, and too often that vulnerable spot is not a fault of security software but rather human error. Attackers know this and orchestrate their plans accordingly. This is called social engineering, and it targets everyone. It’s important to remember that this doesn’t only happen to people who don’t know better. These attacks and executables can be quite sophisticated and even if you know the basics of protecting yourself online, it still may be possible to have a brief lapse in judgment that would invite a malware-laden attachment into your computer.

The moral of the story is to never think that these types of things wouldn’t target you, or that because you received awareness training in your workplace this wouldn’t happen on your watch. The best thing to do is to keep yourself constantly in check with complying with security requirements as well as taking a second look at what context these attachments are being sent in and who is their sender. And if you do have a lapse and click something you shouldn’t have, contact your IT department.  A good IT department will be happy that you alerted them, and take necessary steps to protect the network.  Awareness of Cyber Security isn’t a one-time lesson, it’s a consistent series of decisions.

Sources/Additional Info




This article was written by Kristina Weber and reviewed by Dave Ehman, Centry’s CTO. For more content like this, follow @CentryCyber on Twitter!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s