The IT security researchers at Kaspersky Labs have discovered a new malware targeting oil and gas companies in the Middle East and also aiming towards targets in Europe.
Dubbed StoneDrill by researchers, the malware can evade antivirus detection and destroy everything on an infected device.
You will be aware of so-called wipers – a type of malware which, once installed on an attacked PC, completely wipes all data from it – leaving the owner of the computer with a completely clean, hardly operating piece of hardware.
The most famous (and infamous) wiper is Shamoon – malware which in 2012 made a lot of noise in the Middle East by destroying data on 30,000+ endpoints at the world’s largest oil company – Saudi Aramco, and also hitting another energy giant – Rasgas.
Just imagine: 30,000+ pieces of inoperable hardware in the world’s largest oil company…
Curiously, since it’s devastating campaign against the Saudi company in 2012, little has been heard of Shamoon, until it returned in 2016 as Shamoon 2.0, with several new waves of attacks – again in the Middle East.
Since the new waves of Shamoon attacks began, researchers have been tuning their sensors to search for as many versions of this malware as possible (because, let’s face it, we don’t want ANY of our customers to EVER be struck by malware like Shamoon).
And the researchers managed to find several versions – hurray!
But together with their haul of Shamooners, their nets unexpectedly caught a completely new type of wiper malware, which we’ve named StoneDrill.
The difference between both malware is that StoneDrill is more sophisticated then Shamoon, however, its build is similar to Shamoon 2.0, a variant of Shamoon malware that made a comeback in 2016 by targeting government servers in Saudi Arabia.
Also, StoneDrill and Shamoon have a different codebase yet the mindset of the authors and their programming “style” appear to be similar.
It is unclear how StoneDrill is being delivered to victims, upon infecting a device, it injects itself into the memory process of the victim’s web browser and uses two sophisticated anti-emulation techniques aimed at fooling security solutions installed on the victim machine. The malware then starts destroying the computer’s disk files.
Furthermore, StoneDrill also works as a backdoor apparently for large-scale espionage campaigns and spies on an unknown number of targets using four command and control (C&C) servers.
“We were very intrigued by the similarities and comparisons between these three malicious operations,” said Mohamad Amin Hasbini, Senior Security Researcher, Global Research and Analysis Team, Kaspersky Lab.
“Was StoneDrill another wiper deployed by the Shamoon actor?
Or are StoneDrill and Shamoon two different and unconnected groups that just happened to target Saudi organizations at the same time?
Or, two groups which are separate but aligned in their objectives?
The latter theory is the most likely one: when it comes to artifacts, we can say that while Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections.
Geopolitical analysts would probably be quick to point out that both Iran and Yemen are players in the Iran-Saudi Arabia proxy conflict, and Saudi Arabia is the country where most victims of these operations were found.
But of course, we do not exclude the possibility of these artifacts being false flags.”
While Shamoon malware was delivered to victims through infected documents there are chances that StoneDrill is possibly using similar means for infecting unsuspecting users.
In this regards, it is highly advisable to ignore unknown emails and avoid downloading attachments and clicking links sent from unknown senders.
