SYMBOLCOMMON_NAMEaka. SYNONYMS
win.disttrack (Back to overview)

DistTrack

aka: Shamoon

Actor(s): Shamoon, Magic Hound, Timberworm, COBALT GIPSY


There is no description at this point.

References
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-03-08CyleraCylera
@techreport{cylera:20220308:link:2b7c36f, author = {Cylera}, title = {{The link between Kwampirs (Orangeworm) and Shamoon APTs}}, date = {2022-03-08}, institution = {Cylera}, url = {https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf}, language = {English}, urldate = {2022-03-10} } The link between Kwampirs (Orangeworm) and Shamoon APTs
DistTrack Kwampirs
2021-08-05SymantecThreat Hunter Team
@techreport{team:20210805:attacks:c2d7348, author = {Threat Hunter Team}, title = {{Attacks Against Critical Infrastructure: A Global Concern}}, date = {2021-08-05}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf}, language = {English}, urldate = {2021-08-06} } Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10ZDNetCatalin Cimpanu
@online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } FBI warns about ongoing attacks against software supply chain companies
DistTrack Kwampirs
2019-12-21MalwareInDepthMyrtus 0x0
@online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } Shamoon 2012 Complete Analysis
DistTrack
2018-12-14SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181214:shamoon:1f24fa5, author = {Critical Attack Discovery and Intelligence Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-04-21} } Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig
2018-12-13Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20181213:shamoon:1623fe7, author = {Robert Falcone}, title = {{Shamoon 3 Targets Oil and Gas Organization}}, date = {2018-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/}, language = {English}, urldate = {2020-01-10} } Shamoon 3 Targets Oil and Gas Organization
DistTrack
2017-03-26Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170326:shamoon:8a62f1a, author = {Robert Falcone and Bryan Lee}, title = {{Shamoon 2: Delivering Disttrack}}, date = {2017-03-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Delivering Disttrack
DistTrack
2017-03-14FireEyeFireEye
@online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } M-Trend 2017: A View From the Front Lines
DistTrack Powersniff FIN8
2017-02-27SymantecA L Johnson
@online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten
2017-02-05VinRansomwareGregory Paul, Shaunak
@online{paul:20170205:detailed:3a65aaf, author = {Gregory Paul and Shaunak}, title = {{Detailed threat analysis of Shamoon 2.0 Malware}}, date = {2017-02-05}, organization = {VinRansomware}, url = {http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware}, language = {English}, urldate = {2020-01-09} } Detailed threat analysis of Shamoon 2.0 Malware
DistTrack
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:a118a76, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-04-21} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:96eab4c, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-01-13} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-09Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20170109:second:2e36550, author = {Robert Falcone}, title = {{Second Wave of Shamoon 2 Attacks Identified}}, date = {2017-01-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/}, language = {English}, urldate = {2020-01-07} } Second Wave of Shamoon 2 Attacks Identified
DistTrack
2016-12-03Coding and SecurityCoding, Security
@online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } "Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis
DistTrack
2016-11-30Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20161130:shamoon:6befcf1, author = {Robert Falcone}, title = {{Shamoon 2: Return of the Disttrack Wiper}}, date = {2016-11-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Return of the Disttrack Wiper
DistTrack
2016-11-30SymantecA L Johnson
@online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Back from the dead and destructive as ever
DistTrack OilRig
2012-08-17Contagiodump BlogMila Parkour
@online{parkour:20120817:shamoon:efffab1, author = {Mila Parkour}, title = {{Shamoon or DistTrack.A samples}}, date = {2012-08-17}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html}, language = {English}, urldate = {2019-12-20} } Shamoon or DistTrack.A samples
DistTrack
2012-08-16Kaspersky LabsGReAT
@online{great:20120816:shamoon:143efb8, author = {GReAT}, title = {{Shamoon the Wiper – Copycats at Work}}, date = {2012-08-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/shamoon-the-wiper-copycats-at-work/}, language = {English}, urldate = {2019-12-20} } Shamoon the Wiper – Copycats at Work
DistTrack
2012-08-16SymantecSymantec Security Response
@online{response:20120816:shamoon:8f8fe97, author = {Symantec Security Response}, title = {{The Shamoon Attacks}}, date = {2012-08-16}, organization = {Symantec}, url = {https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks}, language = {English}, urldate = {2020-04-21} } The Shamoon Attacks
DistTrack OilRig
Yara Rules
[TLP:WHITE] win_disttrack_auto (20220411 | Detects win.disttrack.)
rule win_disttrack_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.disttrack."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8d45dc 50 ff15???????? 8b4ddc }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   8d45dc               | lea                 eax, dword ptr [ebp - 0x24]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]

        $sequence_1 = { e8???????? 6a07 e8???????? 59 c3 6a10 68???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   6a07                 | push                7
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   c3                   | ret                 
            //   6a10                 | push                0x10
            //   68????????           |                     

        $sequence_2 = { ff15???????? 5d 5b 8bc7 5f 5e }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_3 = { 83c404 50 e8???????? 83c404 68???????? ff15???????? }
            // n = 6, score = 200
            //   83c404               | add                 esp, 4
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_4 = { 52 6a00 6a00 6848000700 }
            // n = 4, score = 200
            //   52                   | push                edx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6848000700           | push                0x70048

        $sequence_5 = { 58 5e 5d c3 6a0c }
            // n = 5, score = 200
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a0c                 | push                0xc

        $sequence_6 = { e9???????? 8b4d48 33d2 448d4201 e8???????? 4c8d0df8b7feff }
            // n = 6, score = 100
            //   e9????????           |                     
            //   8b4d48               | mov                 ecx, dword ptr [esp + 0x70]
            //   33d2                 | inc                 ecx
            //   448d4201             | mov                 eax, 0x12
            //   e8????????           |                     
            //   4c8d0df8b7feff       | dec                 eax

        $sequence_7 = { 488b4c2470 488d15a3700100 ff15???????? 488b4c2470 ff15???????? }
            // n = 5, score = 100
            //   488b4c2470           | dec                 eax
            //   488d15a3700100       | test                eax, eax
            //   ff15????????         |                     
            //   488b4c2470           | jne                 0x37
            //   ff15????????         |                     

        $sequence_8 = { 8d3c8500864300 8b07 c1e606 f644300401 }
            // n = 4, score = 100
            //   8d3c8500864300       | add                 esp, 4
            //   8b07                 | lea                 eax, dword ptr [ebp - 0x24]
            //   c1e606               | push                eax
            //   f644300401           | mov                 ecx, dword ptr [ebp - 0x24]

        $sequence_9 = { c744242003000000 ff15???????? 4883f8ff 740d 488bc8 ff15???????? }
            // n = 6, score = 100
            //   c744242003000000     | mov                 dword ptr [esp + 0x20], 3
            //   ff15????????         |                     
            //   4883f8ff             | dec                 eax
            //   740d                 | cmp                 eax, -1
            //   488bc8               | je                  0xf
            //   ff15????????         |                     

        $sequence_10 = { 6685c9 75f1 8d442420 8d5002 }
            // n = 4, score = 100
            //   6685c9               | test                cx, cx
            //   75f1                 | jne                 0xfffffff3
            //   8d442420             | lea                 eax, dword ptr [esp + 0x20]
            //   8d5002               | lea                 edx, dword ptr [eax + 2]

        $sequence_11 = { 8d45f3 885dec e8???????? 8a00 0430 8845ed }
            // n = 6, score = 100
            //   8d45f3               | lea                 eax, dword ptr [ebp - 0xd]
            //   885dec               | mov                 byte ptr [ebp - 0x14], bl
            //   e8????????           |                     
            //   8a00                 | mov                 al, byte ptr [eax]
            //   0430                 | add                 al, 0x30
            //   8845ed               | mov                 byte ptr [ebp - 0x13], al

        $sequence_12 = { 6bc93c 2b4818 03480c 6bc93c 8b4010 8d54015a 69d2e8030000 }
            // n = 7, score = 100
            //   6bc93c               | dec                 eax
            //   2b4818               | mov                 ecx, eax
            //   03480c               | imul                ecx, ecx, 0x3c
            //   6bc93c               | sub                 ecx, dword ptr [eax + 0x18]
            //   8b4010               | add                 ecx, dword ptr [eax + 0xc]
            //   8d54015a             | imul                ecx, ecx, 0x3c
            //   69d2e8030000         | mov                 eax, dword ptr [eax + 0x10]

        $sequence_13 = { 488d1538720000 488bce 488905???????? ff15???????? 488bc8 ff15???????? }
            // n = 6, score = 100
            //   488d1538720000       | lea                 edx, dword ptr [esp + 0x58]
            //   488bce               | dec                 eax
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488bc8               | mov                 ecx, dword ptr [esp + 0x70]
            //   ff15????????         |                     

        $sequence_14 = { c1e106 030cb5a08d4200 eb02 8bca }
            // n = 4, score = 100
            //   c1e106               | shl                 ecx, 6
            //   030cb5a08d4200       | add                 ecx, dword ptr [esi*4 + 0x428da0]
            //   eb02                 | jmp                 4
            //   8bca                 | mov                 ecx, edx

        $sequence_15 = { e8???????? 83c410 8d8424fc000000 50 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8d8424fc000000       | lea                 eax, dword ptr [esp + 0xfc]
            //   50                   | push                eax

        $sequence_16 = { 88043b 833d????????10 8b35???????? 7305 be???????? }
            // n = 5, score = 100
            //   88043b               | mov                 byte ptr [ebx + edi], al
            //   833d????????10       |                     
            //   8b35????????         |                     
            //   7305                 | jae                 7
            //   be????????           |                     

        $sequence_17 = { 488bd8 4889442458 4885c0 7532 4821442458 488d542458 }
            // n = 6, score = 100
            //   488bd8               | lea                 edx, dword ptr [ecx + eax + 0x5a]
            //   4889442458           | imul                edx, edx, 0x3e8
            //   4885c0               | dec                 eax
            //   7532                 | mov                 ebx, eax
            //   4821442458           | dec                 eax
            //   488d542458           | mov                 dword ptr [esp + 0x58], eax

        $sequence_18 = { e8???????? 32c0 eb43 bb01000000 391d???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   32c0                 | dec                 eax
            //   eb43                 | lea                 edx, dword ptr [0x170a3]
            //   bb01000000           | dec                 eax
            //   391d????????         |                     

        $sequence_19 = { 8d8dd0feffff e9???????? 8b4da8 83e958 e9???????? 8b542408 8d420c }
            // n = 7, score = 100
            //   8d8dd0feffff         | lea                 ecx, dword ptr [ebp - 0x130]
            //   e9????????           |                     
            //   8b4da8               | mov                 ecx, dword ptr [ebp - 0x58]
            //   83e958               | sub                 ecx, 0x58
            //   e9????????           |                     
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   8d420c               | lea                 eax, dword ptr [edx + 0xc]

        $sequence_20 = { 83c148 51 8b4dfc e8???????? 8be5 }
            // n = 5, score = 100
            //   83c148               | push                eax
            //   51                   | add                 esp, 4
            //   8b4dfc               | add                 esp, 4
            //   e8????????           |                     
            //   8be5                 | push                eax

        $sequence_21 = { e8???????? 41b812000000 488bd3 488d0d55b80100 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   41b812000000         | dec                 eax
            //   488bd3               | and                 dword ptr [esp + 0x58], eax
            //   488d0d55b80100       | dec                 eax

        $sequence_22 = { 33c0 5d c3 8b04c57caa4100 }
            // n = 4, score = 100
            //   33c0                 | xor                 eax, eax
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b04c57caa4100       | mov                 eax, dword ptr [eax*8 + 0x41aa7c]

        $sequence_23 = { c78424a003000006000000 8b4c2434 8b5104 8d44244c 50 c7441438fcc24100 }
            // n = 6, score = 100
            //   c78424a003000006000000     | mov    dword ptr [esp + 0x3a0], 6
            //   8b4c2434             | mov                 ecx, dword ptr [esp + 0x34]
            //   8b5104               | mov                 edx, dword ptr [ecx + 4]
            //   8d44244c             | lea                 eax, dword ptr [esp + 0x4c]
            //   50                   | push                eax
            //   c7441438fcc24100     | mov                 dword ptr [esp + edx + 0x38], 0x41c2fc

        $sequence_24 = { e8???????? 50 68???????? 6a00 6a00 ff15???????? 6888130000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   50                   | push                eax
            //   68????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   6888130000           | push                0x1388

        $sequence_25 = { 8b0c8d40174200 c1e006 0fbe440104 83e040 5d }
            // n = 5, score = 100
            //   8b0c8d40174200       | mov                 ecx, dword ptr [ecx*4 + 0x421740]
            //   c1e006               | shl                 eax, 6
            //   0fbe440104           | movsx               eax, byte ptr [ecx + eax + 4]
            //   83e040               | and                 eax, 0x40
            //   5d                   | pop                 ebp

    condition:
        7 of them and filesize < 1112064
}
Download all Yara Rules