Kaspersky says two targets have been identified thus far

Mar 7, 2017 10:53 GMT  ·  By

A new type of destructive malware was discovered by the folks over at Kaspersky. Similar to infamous wiper Shamoon, StoneDrill will destroy everything that's on the infected computer. 

According to the announcement, StoneDrill features advanced anti-detection techniques and espionage tools. So far, it has targeted victims in the Middle East, but one target was also discovered in Europe.

Back in 2012, Shamoon, also known as Disttrack took down about 35,000 computers in an oil and gas company in the Middle East, leaving 10% of the world's oil supply potentially at risk. Following that attack, Shamoon pretty much disappeared, only to be spotted again in late 2016 in the form of Shamoon 2.0, a more extensive malicious campaign with a more potent version of the 2012 malware.

Similar, but not the same

It was while exploring these late 2016 attacks that researchers stumbled upon StoneDrill. The malware was built in a similar style to the second version of Shamoon, but it was even worse, more sophisticated.

As of right now, it's not known how StoneDrill is propagated. What researchers do know, however, is that once a machine is attacked, the malware injects itself into the memory process of the user's preferred browser, it then uses two anti-emulation techniques aimed at fooling security solutions installed on the machine, before starting the destruction process.

StoneDrill has had two targets so far, one in the Middle East and one in Europe, although the researchers would not give out any names.

"Kaspersky Lab researchers have also found a StoneDrill backdoor, which has apparently been developed by the same code writers and used for espionage purposes. Experts discovered four command and control panels which were used by attackers to run espionage operations with help of the StoneDrill backdoor against an unknown number of targets," the announcement reads.

Wiping and espionage

Researchers believe that StoneDrill's most interesting feature is that it appears to have connections to other wipers and espionage operations that were previously observed in the wild.

For instance, when Kaspersky Lab researchers discovered StoneDrill with the help of Yara-rules created to identify unknown samples of Shamoon, they realized they were looking at a unique piece of malicious code that seemed to have been created separately from Shamoon. Even though they're not the same, they seem to have the same purpose.

They also noticed similarities between the codes of StoneDrill and NewsBeef APT, also known as Charming Kitten, another malicious campaign which has been active in the last few years.

"We were very intrigued by the similarities and comparisons between these three malicious operations,” said Mohamad Amin Hasbini, Senior Security Researcher, Global Research and Analysis Team, Kaspersky Lab. “Was StoneDrill another wiper deployed by the Shamoon actor? Or are StoneDrill and Shamoon two different and unconnected groups that just happened to target Saudi organizations at the same time? Or, two groups which are separate but aligned in their objectives? The latter theory is the most likely one: when it comes to artefacts, we can say that while Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Geopolitical analysts would probably be quick to point out that both Iran and Yemen are players in the Iran-Saudi Arabia proxy conflict, and Saudi Arabia is the country where most victims of these operations were found. But of course, we do not exclude the possibility of these artefacts being false flags."

Updated to include commentary from AlienVault security researcher Chris Doman.

"Kaspersky suggest in their report that the Stonedrill attackers may be linked to a group known as Newscaster - previously seen targeting the US military. There have been reports they are located within Iran, as are the Shamoon attackers. Whilst Shamoon and Stonedrill may share common targets and even resources, this is part of a wider proliferation of ideas. [...] It’s novel that the new Shamoon attacks include a ransomware component. If you’re going to target an enemy - why not drain their resources and make some funds for yourself whilst you do it?" Doman told Softpedia.

He adds that US-CERT provides good advice in mitigating these kinds of attacks. A solid detection and back-up strategy is key for companies. "Many of these attacks involve a worm component that looks for weak passwords on a network, and can be identified using centralized reporting of failed logins."

Photo Gallery (2 Images)

StoneDrill vs Shamoon
Other wiper malware incidents
Open gallery