* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Threat Intelligence](https://origin-researchcenter.paloaltonetworks.com/blog/category/threat-intelligence/)
* Threat Brief: Credential ...

# Threat Brief: Credential Theft - The Keystone of the Shamoon 2 Attacks

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2017%2F03%2Funit42-threat-brief-credential-theft-keystone-shamoon-2-attacks%2F)  
[](https://twitter.com/share?text=Threat+Brief%3A+Credential+Theft+-+The+Keystone+of+the+Shamoon+2+Attacks&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2017%2F03%2Funit42-threat-brief-credential-theft-keystone-shamoon-2-attacks%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2017%2F03%2Funit42-threat-brief-credential-theft-keystone-shamoon-2-attacks%2F&title=Threat+Brief%3A+Credential+Theft+-+The+Keystone+of+the+Shamoon+2+Attacks&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2017/03/unit42-threat-brief-credential-theft-keystone-shamoon-2-attacks/&ts=markdown)  
\[\](mailto:?subject=Threat Brief: Credential Theft - The Keystone of the Shamoon 2 Attacks)  
Link copied  
By [Christopher Budd](https://www.paloaltonetworks.com/blog/author/christopher-budd/?ts=markdown "Posts by Christopher Budd")  
Mar 27, 2017  
4 minutes  
[Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown)  
[credential theft](https://www.paloaltonetworks.com/blog/tag/credential-theft/?ts=markdown)  
[Disttrack Wiper](https://www.paloaltonetworks.com/blog/tag/disttrack-wiper/?ts=markdown)  
[Shamoon 2](https://www.paloaltonetworks.com/blog/tag/shamoon-2/?ts=markdown)  
[threat brief](https://www.paloaltonetworks.com/blog/tag/threat-brief/?ts=markdown)

Unit 42 researchers have been following the [Shamoon 2](https://www.paloaltonetworks.com/blog/tag/shamoon-2/) attacks closely since November 2016. To date, Shamoon 2 has unfolded in three separate attack waves on [November 11, 2016](https://www.paloaltonetworks.com/blog/2016/11/unit42-shamoon-2-return-disttrack-wiper/), [November 29, 2016](https://www.paloaltonetworks.com/blog/2017/01/unit42-second-wave-shamoon-2-attacks-identified/), and [January 23, 2017](https://www.paloaltonetworks.com/blog/2017/01/unit42-threat-brief-shamoon-2-wave-3-attacks/).

Based on our newest [research](https://www.paloaltonetworks.com/blog/2017/03/unit42-shamoon-2-delivering-disttrack/), we can answer a question that many have had about these attacks: how is Shamoon 2 able to enter an organization's network and spread so widely? The answer is simple: credential theft.

Credential theft has been known to be a key part of the Shamoon 2 attacks. What our research is showing that's new is how the attackers use the credentials once they've breached the network. And from this we can see how credential theft is the keystone of Shamoon 2 attacks; if an organization can prevent credential theft, the Shamoon 2 attacks can't succeed.

In our research, we're able to outline that Shamoon 2 enters and spreads through an organization in three stages:

1. Shamoon 2 attackers access and compromise a single system in the network, using Remote Desktop Protocol (RDP) with stolen, legitimate credentials. This becomes their distribution server: they download their tools and malware to this system.
2. Attackers execute commands on the distribution server to connect to specific, named systems on the network, using the stolen, legitimate credentials, and infect them with the Disttrack malware.
3. The Disttrack malware will execute on those named systems the attacker has successfully infected. The Disttrack malware will attempt to connect to and spread itself to up to 256 IP addresses on its local network. Any systems successfully infected in this stage will also attempt to infect up to 256 IP addresses on their local networks.

These stages are outlined in the image below.

![shamoon-diagram-social-ads-final\_unit-42-diagram-linkedin-520x320](https://www.paloaltonetworks.com/blog/wp-content/uploads/2017/03/Shamoon-diagram-social-ads-final_unit-42-diagram-linkedin-520x320.png)

And that credential theft is a key element in each stage:

1. Attackers must have valid credentials to gain access via RDP to the system they will use as their distribution server in Stage 1.
2. Once on the distribution server, the attackers must be able to execute their tools and scripts in an account that has valid credentials for them to successfully connect to and control the named hosts in Stage 2.
3. The Disttrack malware itself must have valid, stolen credentials embedded within it to spread itself in Stage 3.

It's also worth noting that credentials are a keystone issue in [Shamoon 2 wave 2](https://www.paloaltonetworks.com/blog/2017/01/unit42-second-wave-shamoon-2-attacks-reveal-possible-new-tactic/) too: we saw evidence of targeting an organization's virtual desktop infrastructure (VDI) solutions with default credentials. While not stolen credentials, the effect is the same: attackers can use those credentials to abuse otherwise legitimate access and privileges to carry out their attacks.

At this time, we do not have research that explains definitively how the Shamoon 2 attackers have obtained these credentials. We do believe there is evidence suggestive of a connection between Shamoon 2 and the [Magic Hound campaign](https://www.paloaltonetworks.com/blog/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/), which could indicate these two attack campaigns could have worked in conjunction with each other to execute the Shamoon 2 attacks.

We also believe the presence of specific, valid named hosts from the network used in Stage 2 shows they were obtained directly from Active Directory on a domain controller. This is also suggestive of access to the network through legitimate, stolen credentials. In one sample we examined, we found a total of 844 hostnames.

This also helps to set context for how widely Disttrack can attempt to spread: 844 systems, each attempting to spread to 256, means that from one distribution server, Shamoon 2 attackers could potentially try to spread Disttrack to 216,064 systems; and that's not counting if any of those infected systems, in turn, attempts to spread to an additional 256 systems.

Shamoon 2 attacks are very targeted to a specific region. But it would be a mistake to write-off the threat that Shamoon 2 demonstrates. Shamoon 2 attackers are using a rudimentary, but effective, distribution system of their own making. The power of their attack doesn't lie in the tools they use but in their ability to obtain and abuse legitimate credentials.

This underscores why credential theft is something that organizations should prioritize as a top threat and take steps to understand it and prevent it. We've recently published a new Unit 42 [white paper on credential theft](https://www.paloaltonetworks.com/blog/2017/03/unit42-new-white-paper-preventing-credential-phishing-theft-abuse/) that we encourage you to read.

To help customers take steps to better understand and protect against this threat, we've posted information in our article [PAN-OS Configuration Recommendations to Protect Against Shamoon 2](https://live.paloaltonetworks.com/t5/Threat-and-Vulnerability/PAN-OS-Configuration-Recommendations-to-Protect-Against-Shamoon/ta-p/149451) located in our [Threat and Vulnerability Articles](https://live.paloaltonetworks.com/t5/Threat-and-Vulnerability/tkb-p/ThreatArticles) section on our Live Community. You can also join in the discussion in our "[About Threat and Vulnerability Discussions](https://live.paloaltonetworks.com/t5/Threat-and-Vulnerability/bd-p/Threat_Discussions)" on the Live Community.

[](http://go.paloaltonetworks.com/ignite2017)  
[![ignite17-social-cover-img-facebook-820x340](https://www.paloaltonetworks.com/blog/wp-content/uploads/2017/03/ignite17-social-cover-img-facebook-820x340.png)](http://go.paloaltonetworks.com/ignite2017)

**Ignite '17 Security Conference: Vancouver, BC June 12--15, 2017**

Ignite '17 Security Conference is a live, four-day conference designed for today's security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the [Ignite website](http://www.paloaltonetworksignite.com) for more information on tracks, workshops and marquee sessions.

*** ** * ** ***

## Related Blogs

### [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### Threat Brief: Second Wave of Shamoon 2 Attacks Reveal Possible New Tactic](https://origin-researchcenter.paloaltonetworks.com/blog/2017/01/unit42-second-wave-shamoon-2-attacks-reveal-possible-new-tactic/)

### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### New White Paper on Preventing Credential Phishing, Theft and Abuse](https://origin-researchcenter.paloaltonetworks.com/blog/2017/03/unit42-new-white-paper-preventing-credential-phishing-theft-abuse/)

### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### Threat Brief: Embrace Mobile Banking with Caution](https://origin-researchcenter.paloaltonetworks.com/blog/2018/10/unit42-threat-brief-embrace-mobile-banking-caution/)

### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### Threat Brief: Cyber Attackers Using Your Home Router To Bring Down Websites](https://origin-researchcenter.paloaltonetworks.com/blog/2018/08/threat-brief-cyber-attackers-using-home-router-bring-websites/)

### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown)

[#### Threat Brief: Conversation Hijacking Spear Phishing](https://origin-researchcenter.paloaltonetworks.com/blog/2017/10/threat-brief-conversation-hijacking-spear-phishing/)

### [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### Shamoon 2: Delivering Disttrack](https://origin-researchcenter.paloaltonetworks.com/blog/2017/03/unit42-shamoon-2-delivering-disttrack/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer} Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/ai-security?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Next-Generation Identity Security](https://www.paloaltonetworks.com/idira?ts=markdown)

* [Privileged Access Management](https://www.paloaltonetworks.com/idira/human/privileged-access-management?ts=markdown)

* [Identity and Access Management](https://www.paloaltonetworks.com/idira/human/identity-and-access-management?ts=markdown)

* [Endpoint Privilege Manager](https://www.paloaltonetworks.com/idira/human/endpoint-privilege-manager?ts=markdown)

* [Identity Governance](https://www.paloaltonetworks.com/idira/human/identity-governance?ts=markdown)

* [Workforce Password Management](https://www.paloaltonetworks.com/idira/human/workforce-password-management?ts=markdown)

* [Agentic Identities](https://www.paloaltonetworks.com/idira/agentic?ts=markdown)

* [Secrets Management](https://www.paloaltonetworks.com/idira/machine/secrets-management?ts=markdown)

* [Unified Secrets Governance](https://www.paloaltonetworks.com/idira/machine/unified-secrets-governance?ts=markdown)

* [Application Credentials Delivery](https://www.paloaltonetworks.com/idira/machine/application-credentials-delivery?ts=markdown)

* [Vendor Privileged Access](https://www.paloaltonetworks.com/idira/human/vendor-privileged-access?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)  
  Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)

* [Careers](https://jobs.paloaltonetworks.com/en/)

* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)

* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)

* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)

* [Investor Relations](https://investors.paloaltonetworks.com/)

* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)

* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)  
  Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)

* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)

* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)

* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)

* [Event Center](https://events.paloaltonetworks.com/)

* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)

* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)

* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)

* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)

* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)

* [Tech Docs](https://docs.paloaltonetworks.com/)

* [Unit 42](https://unit42.paloaltonetworks.com/)

* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)

* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)

* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)

* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)

* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language