The global research and analysis team at Kaspersky Lab's has revealed the discovery of a sophisticated wiper malware known as StoneDrill. According to the Russia-based research company, the new wiper has been developed in the same style as Shamoon (also known as Disttrack), a wiper took down roughly 35 000 computers in an oil and gas company in the Middle East in 2012.
"This attack left 10% of the world's oil supply potentially at risk. However, the incident was one of a kind, and after it the actor essentially went dark. In late 2016 it returned in the form of Shamoon 2.0 - a far more extensive malicious campaign using a heavily updated version of the 2012 malware. StoneDrill also features advanced anti-detection techniques and espionage tools in its arsenal. In addition to targets in the Middle East, one target has also been discovered in Europe, where wipers used in the Middle East have not previously been spotted in the wild," said the Kaspersky Lab team.
The company says it's not yet known how StoneDrill is disseminated, but once on the attacked machine it injects itself into the memory process of the user's preferred browser. During this process, it uses two high-end anti-emulation techniques aimed at fooling security solutions installed on the victim machine. The malware then starts destroying the computer's disk files. "So far, at least two targets of the StoneDrill wiper have been identified, one based in the Middle East and the other in Europe," the company confirmed.
Moreover the team uncovered a backdoor, which has apparently been developed by the same code writers and used for espionage purposes. Experts discovered four command and control panels which were used by attackers to run espionage operations with help of the StoneDrill backdoor against an unknown number of targets. Furthermore, the malware also appears to have connections to several other wipers and espionage operations observed previously.
Said the company: "When the researchers discovered StoneDrill with the help of Yara-rules created to identify unknown samples of Shamoon, they realised they were looking at a unique piece of malicious code that seems to have been created separately from Shamoon. Even though the two families - Shamoon and StoneDrill - don't share the exact same code base, the mind-set of the authors and their programming 'style' appear to be similar. That's why it was possible to identify StoneDrill with the Shamoon-developed Yara-rules."
Code similarities with older known malware were also observed. StoneDrill uses some parts of the code previously spotted in the NewsBeef APT, also known as Charming Kitten - another malicious campaign which has been active in the last few years.
"We were very intrigued by the similarities and comparisons between these three malicious operations. Was StoneDrill another wiper deployed by the Shamoon actor? Or are StoneDrill and Shamoon two different and unconnected groups that just happened to target Saudi organisations at the same time? Or, two groups which are separate but aligned in their objectives? The latter theory is the most likely one: when it comes to artefacts we can say that while Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections," noted Mohamad Amin Hasbini, senior security researcher of the global research and analysis team, Kaspersky Lab.
He further urged firms to provide protection inside and outside the perimeter. "A proper security strategy has to devote significant resources to attack detection and response in order to block an attack before it reaches critically important objects," he said.
Share