Recreating Iran AC/DC Thunderstruck Worm with PowerShell & Metasploit

Iran Thunderstruck

About three years ago computer workstations at two Iranian nuclear facilities allegedly began playing AC/DC’s Thunderstruck at random times and at full volume. How cool would it be to use this during your next computer security pentest?

Well, you can!

In this tutorial we will see how to recreate this cool attack with PowerShell and use it with Metasploit in Kali Linux.

But first some disclaimers:

Unless you are in an American or allied cyber unit, trying to infect a foreign nation’s nuclear computers is pretty much a no,no – so don’t do it. Actually using this against any systems that you do not have express written permission to do so will probably end you up in jail – so again, don’t do it. Lastly, this is not new, it is from a PowerShell script that is about 2 years old.

In this tutorial we will be borrowing the PowerShell code to play AC/DC’s hit song at full volume from a botnet script written by Christopher “@obscuresec” Campbel. If you did not see his 2013 Shmoocon talk, “Building a PowerShell Bot”, check this out:

The code can be found at his Github site.

We will also be using a technique by Mubix to encode the PowerShell script so we can deliver it via Meterpreter.

Lastly we will need a willing Windows 7 system as a target, this attack did not seem to work very well using a VMware virtual machine for a target (the up volume loop seems to bog systems down pretty good), so I used a stand alone system.

Playing “Thunderstruck” on a remote system:

1. From obscuresec’s botnet code, grab the Thunderstruck section:

[string] $VideoURL = “”
#Create hidden IE Com Object
$IEComObject = New-Object -com “InternetExplorer.Application”
$IEComObject.visible = $False
$EndTime = (Get-Date).addminutes(3)
Write-Verbose “Loop will end at $EndTime”
#ghetto way to do this but it basically presses volume up to raise volume in a loop for 3 minutes
do {
$WscriptObject = New-Object -com
until ((Get-Date) -gt $EndTime)

The VideoURL string sets the song, which is of course, Thunderstruck. The $IEComObject section tells PowerShell to open Internet Explorer on the target system and navigate to the YouTube video. ** Note ** the .visible = $False section tells PowerShell to hide the IE window so that it does not show up. Set this to $True if you want to be able to see the Internet Explorer window.

The rest of the script creates a 3 minute loop (the length of the song) where the Up Volume key (char 175) is called repeatedly. As mentioned earlier, this loop seems to really draw down the target computer, you may want to set it to a shorter time period.

2. Put the code in a text file, which I called “Thunderstruck.txt“.

3. Base64 encode the script:

Iran Thunderstruck 2

And that is it, now all we need to do is use Metasploit to get a remote shell to the target system and then call the encoded script in our remote shell using PowerShell, like so:

Iran Thunderstruck 3

And that is it, after a short pause the target remote system will begin playing “Thunderstruck” at maximum volume. If the user tries to turn down the volume using the speaker icon, it will fight them by turning it back up until the song is over!

Iran Thunderstruck 4

Defending against this attack

The bad thing about PowerShell based attacks is that most Anti-Viruses and Windows do not see them as malicious. So your best bet is to never, ever open unsolicited attachments you receive in social media sites or via e-mails. Also, run script blocking programs to prevent unwanted scripts from running on sites that you visit. Lastly, never, ever try to build nuclear weapons!


Iranian Hackers Target US Military Personnel via Social Media

People trust and share way too much on social media sites, and unfortunately this extends to government employees and military troops around the world. Iranian hackers have taken advantage of this and for the last three years have been targeting high ranking officials worldwide by attacking social media accounts using social engineering.

Social Engineering means to attempt to gain access or information from someone by pretending to be someone else or by physiologically manipulating someone to trick them into doing something they normally wouldn’t. Hackers use these techniques to gain account login information, access to a physical location or confidential data, or to gain information that could be used in future attacks.

According to the security firm iSight Partners in Dallas, Iranian hackers pretending to be members of US News media and defense contractors have social engineered high ranking officials via sites like Facebook, Linked-In, YouTube and Twitter since 2011. The firm has tracked the attacks for six months and have been amazed at the depth and persistence of the hackers:

It is such a complex and broad-reaching, long-term espionage campaign for the Iranians, what they lack in technical sophistication, they make up in creativity and persistence,” said iSight Senior Vice President Tiffany Jones.

The targets included a US Navy Admiral and other high ranking officials from the US and also Israel, UK, Iraq, Saudi Arabia and Syria.

People share way to much via social media assuming it is a safe environment. Military personnel and government officials around the globe share where they are, what technology they are working on, unit locations and capabilities, and other seemingly innocent data shared with “friends” that could be a gold mind to cyber espionage and social engineering hackers.

Officials should be very wary of unknown social media contacts pressing them for confidential data or account information. High ranking military personnel or those in top secret positions should not use social media sites as resumes or to share where they are or what they are working on.

Some country’s even prohibit soldiers from posting any pictures of themselves in uniform or discussing any military occupation information on social media sites.

Iran inside US Navy Unclassified Intranet System for Four Months


It took the Navy longer than previously reported to remove Iranian hackers from the Navy and Marine Corps Intranet (NMCI). According to the Wall Street Journal, the hackers had access to the system last year for four months.

The hackers were able to gain access via a hole in a public facing website and conducted surveillance on the intranet, though a senior official told the WSJ that no emails were hacked and no data was extracted.

The NMCI is the largest enterprise network in the world and second only to the internet itself in size. It handles about 70% of the Department of the Navy’s IT needs. It encompasses more than 360,000 computers and 4,100 servers connected together in over 600 locations.

The sheer size of this network makes is very difficult to secure. IT specialists have to make sure everything is kept updated and all security issues are dealt with on the hundreds of thousands of systems.

Attackers just need to find one opening to exploit.

Then once someone does gain access into a network of this size, it can take a long time for security specialists to analyze what was touched, what was compromised and what, if any, backdoors were left.

Though the system is the Navy’s unclassified network, the fact that Iran was able to gain access to this military intranet is very concerning.

It was a real big deal, it was a significant penetration that showed a weakness in the system.” a senior official told the WSJ.

Of interest to this story too, is that just five days after the breach was initially disclosed last year, an Iranian cyber commander was apparently assassinated.

Iranian Cyber Commander Mojtaba Ahmadi’s body was found in a remote area near Karaj. Initial police reports stated that he has shot by two men on a motorbike.

An eyewitness reported that there were “two bullet wounds on his body”, and that ‘”The extent of his injuries indicated that he had been assassinated from a close range with a pistol“.

This style of attack seems to be a very similar to a tactic used by Israeli secret agents.

Though it has not been proved that Israel was involved, and Iranian officials later denied that Ahmadi was assassinated – One thing seems true, physical responses for cyber attacks seem to be on the table.

And, you don’t mess with the United States Marine Corps!

Did Israeli Mossad Assassinate an Iranian Cyber Commander?

Mossad Logo, Translated Text says, "Where no wise direction is, a people falleth; but in the multitude of counsellors there is safety." Pr 11:14
Mossad Logo, Translated Text says, “Where no wise direction is, a people falleth; but in the multitude of counsellors there is safety.” Pr 11:14

Mojtaba Ahmadi, a commander of Iranian cyber forces has been apparently assassinated at close range by two people on a motorcycle. With similar assassinations taking place in Iran, one has to ask, “Was this an Israeli operation?”

According to reports, Ahmadi was shot two times in the heart at close range by two unknown assailants.

“I could see two bullet wounds on his body and the extent of his injuries indicated that he had been assassinated from a close range with a pistol,” an eyewitness told a Revolutionary Guard backed website.

The attack involving assailants on motor bikes sounds like a tactic used several times against Iranian Nuclear and Missile Scientists. Six key Iranians have been assassinated since 2007. And for years Iran and other nations have accused the Mossad of the strikes.

We may never know who was actually responsible, but with cyber attacks coming from Iran and with Iran’s nuclear threat against Israel, it would seem that they might have taken things into their own hands.

And that may now include physically targeting Iran’s cyber warriors.