Vin Ransomware Blog02

Shamoon Hits Gulf Again Banner
Update : The tool has been updated to detect the latest Jan 2017 variant of the Shamoon2 malware - 01-24-2017 03:09:15 IST

On December 1, 2016, Crowdstrike[2] reported a new targeted attack on some Gulf companies using the Shamoon malware. Shamoon is a malware that infected companies in Middle East and primarily wiped their hard disk. This is a new variant and is dubbed as Shamoon 2.0[1].

Ars reports [3] that, this threat wipes the hard disk when the date on the victim machine matches November 17.

Among the samples that our Threat intelligence lab received, an interesting driver from Eldos is found. This driver enables the threat to perform a raw disk activity on affected machines.

Click here to Download Shamoon2 Updated Detector

McAfee and Crowdstrike detects this threat
We also found that most of the Antivirus products detects this threat. For example, Virus Total reports the detection ratio as 38/56. Both, McAfee and Crowdstrike detects this threat.

We will update this blog once our complete analysis is over.

At present, for immediate benefit of our Middle East users, we are releasing the free Shamoon 2.0 Detection tool.

Click here to Download Shamoon2 Updated Detector

Paramount Shamoon Detection tool
The Indicators of Compromises:


The IOC's for the latest Jan 2017 variant of Shamoon2 malware.

010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb (Shamoon2.Disttrack.Update)
efd2f4c3fe4e9f2c9ac680a9c670cca378cef6b8776f2362ed278317bfb1fca8 (Shamoon2.Communication.Update)
113525c6bea55fa2a2c6cf406184092d743f9d099535923a12cdd9b9192009c4 (Shamoon2.Wiper.Update)
5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a (Shamoon2.vdsk911.sys.Update)