In the wake of the Shamoon malware attacks, a new wiper targets the Middle East and shows interest in European targets
Woburn, MA – March 6, 2017 – The Kaspersky Lab Global Research and Analysis Team has discovered a new sophisticated wiper malware, called StoneDrill. Just like another infamous wiper, Shamoon, it destroys everything on the infected computer. StoneDrill also features advanced anti-detection techniques and espionage tools in its arsenal. In addition to targets in
the Middle East, one StoneDrill target has also been discovered in Europe, where wipers used in the Middle East have not previously been spotted in the wild.
In 2012, the Shamoon (also known as Disttrack) wiper made a lot of noise by taking down around 35,000 computers in an oil and gas company in the Middle East. This devastating attack left 10 percent of the world’s oil supply potentially at risk. However, the incident was one of a kind, and after it the actor essentially went dark. In late 2016, it returned in the form of Shamoon 2.0 – a far more extensive malicious campaign using a heavily updated version of the 2012 malware.
While exploring these attacks Kaspersky Lab researchers unexpectedly found malware that was built in a similar “style” to Shamoon 2.0. At the same time, it was very different and more sophisticated than Shamoon and they named it StoneDrill.
StoneDrill – a wiper with connections
It is not yet known how StoneDrill is propagated, but once on the attacked machine, it injects itself into the memory process of the user’s preferred browser. During this process, it uses two sophisticated anti-emulation techniques aimed at fooling security solutions installed on the victim machine. The malware then starts destroying the computer’s disk files.
So far, at least two targets of the StoneDrill wiper have been identified, one based in the Middle East and the other in Europe.
Besides the wiping module, Kaspersky Lab researchers have also found a StoneDrill backdoor, which has apparently been developed by the same code writers and used for espionage purposes. Experts discovered four command and control panels which were used by attackers to run espionage operations with help of the StoneDrill backdoor against an unknown number of targets.
Perhaps the most interesting thing about StoneDrill is that it appears to have connections to several other wipers and espionage operations observed previously. When Kaspersky Lab researchers discovered StoneDrill with the help of Yara-rules created to identify unknown samples of Shamoon, they realized they were looking at a unique piece of malicious code that seems to have been created separately from Shamoon. Even though the two families – Shamoon and StoneDrill – don’t share the exact same code base, the mindset of the authors and their programming “style” appear to be similar. That’s why it was possible to identify StoneDrill with the Shamoon-developed Yara-rules.
Code similarities with older known malware were also observed, but this time not between Shamoon and StoneDrill. In fact StoneDrill uses some parts of the code previously spotted in the NewsBeef APT, also known as Charming Kitten – another malicious campaign which has been active in the last few years.
Continue reading on next page