New Destructive Malware Discovered

Monday, March 6, 2017 @ 04:03 PM gHale

There is a new sophisticated wiper malware, called StoneDrill that is targeting companies in the Middle East and Europe, researchers said.

Just like Shamoon, StoneDrill destroys everything on the infected computer. StoneDrill also features advanced anti-detection techniques and espionage tools, said researchers at the Kaspkersky Lab Global Research and Analysis Team.

Reviewing Latest Shamoon Attacks
Shamoon 2 Active in Middle East
Blackhat: Recovering from Shamoon
Shamoon Hits Saudi Aviation Unit

In 2012, Shamoon (also known as Disttrack) took down over 30,000 computers in oil giant Saudi Aramco in the Middle East. This devastating attack left 10 percent of the world’s oil supply potentially at risk. The attack also hit Saudi gas provider, RasGas and chemical maker, SAFCO. ISSSource reported the attack emanated from Iran.

Late last year, however, the attack returned in the form of Shamoon 2.0 – a far more extensive malicious campaign using a heavily updated version of the 2012 malware.

While exploring these attacks Kaspersky Lab researchers found malware built in a similar “style” to Shamoon 2.0. At the same time, it was very different and more sophisticated than Shamoon and they named it StoneDrill.

It is not yet known how StoneDrill propagates, but once on the attacked machine it injects itself into the memory process of the user’s preferred browser. During this process it uses two sophisticated anti-emulation techniques aimed at fooling security solutions installed on the victim machine. The malware then starts destroying the computer’s disk files.

So far, at least two targets of the StoneDrill wiper have been identified, one in the Middle East and the other in Europe. 

Besides the wiping module, researchers also found a StoneDrill backdoor, apparently developed by the same code writers and used for espionage purposes. Experts discovered four command and control panels used by attackers to run espionage operations with help of the StoneDrill backdoor against a series of targets.

In addition, StoneDrill has connections to several other wipers and espionage operations.

When Kaspersky Lab researchers discovered StoneDrill with the help of Yara-rules created to identify unknown samples of Shamoon, they realized they were looking at a unique piece of malicious code created separately from Shamoon.

Even though the two families – Shamoon and StoneDrill – don’t share the exact same code base, the mind-set of the authors and their programming “style” appear to be similar. That’s why it was possible to identify StoneDrill with the Shamoon-developed Yara-rules.

There are also code similarities with older known malware. StoneDrill uses some parts of the code previously spotted in the NewsBeef APT, also known as Charming Kitten – another malicious campaign active in the last few years.

“We were very intrigued by the similarities and comparisons between these three malicious operations,” said Mohamad Amin Hasbini, senior security researcher, global research and analysis team at Kaspersky Lab. “Was StoneDrill another wiper deployed by the Shamoon actor? Or are StoneDrill and Shamoon two different and unconnected groups that just happened to target Saudi organizations at the same time? Or, two groups which are separate but aligned in their objectives? The latter theory is the most likely one: When it comes to artifacts we can say that while Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Geopolitical analysts would probably be quick to point out that both Iran and Yemen are players in the Iran-Saudi Arabia proxy conflict, and Saudi Arabia is the country where most victims of these operations were found. But of course, we do not exclude the possibility of these artefacts being false flags.”

To learn more about Shamoon 2.0 and StoneDrill, click on the Kaspersky blog post.

Leave a Reply

You must be logged in to post a comment.