New McAfee Threat Research - The Group Behind Shamoon

As the infamous Shamoon malware has resurfaced, McAfee Advanced Threat Research has uncovered additional details on last week’s reappearance of Shamoon malware, giving researchers high confidence APT33 group Charming Kitten—or a group masquerading as them—is behind these recent attacks.

Of note, after further, detailed analysis of three versions of Shamoon, McAfee has concluded that the Iranian hacker group Charming Kitten / APT33 (or a group masquerading as them) are most likely responsible for these attacks.

This research follows last week’s analysis of the new wave of Shamoon “wiper” malware attacks. 

Additional major findings include:

• The new toolkit discovered appears to be a modular copy of the original Shamoon; the lack of sophistication indicates the authors are not as advanced as the original Shamoon authors 
  • One possible explanation for this is that students are being hired to conduct these attacks
• There is a phrase from the Quran used within the code that means “perish the hands of the Father of flame” or “the power of Abu Lahab will perish, and he will perish.”
• The latest Shamoon appears to be part of a toolkit with several modules – detailed information on these can be found in the blog

This campaign illustrates how many hacker groups are now using more open source tools, as well as macros and scripting for targeted attacks. This rising trend was also echoed in the McAfee Threats Report: December 2018.

Please find the detailed blog here - Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems 

Additionally, below please find commentary from McAfee researchers about this investigation.

“We need to pay close attention to this campaign as it demonstrates an adversary that is willing and able to invest so heavily in technical development that there are noticeable improvements in these recent attacks compared to previous campaigns. In addition, not only is the adversary improving their tooling, but also their ability to hit a wider group of targets. Considering the destructive nature of the campaign, such improvements serve a stark warning to critical infrastructure operators.” Said Raj Samani, McAfee Fellow and Chief Scientist  

“Being able to connect the dots with earlier operations and then see the magic happen when it all fit together was a ‘Eureka’ moment during our analysis. It amazes me to see the extent of this operation, which began months ago, with websites being created and payloads being carefully prepared, all for a grand-finale in December when the destruction-phase of the operation was executed.” Said Christiaan Beek, McAfee Senior Principle Engineer and Lead Scientist