New StoneDrill Malware Replaces Shamoon, Packs Additional Dangerous Features

While exploring a new devastating campaign of the second and more powerful version of Shamoon in late 2016, researchers from security firm Kaspersky discovered another malware threat that strongly resembles the style and build-up of Shamoon, yet at the same time looks very different and much more sophisticated. The new malware is called StoneDrill, and it is another wiper type of a malicious application that can wreck the infected computer completely. StoneDrill looks way more dangerous than Shamoon and Shamoon 2 as it has added features that allow it to escape detection by anti-virus programs as well as to conduct cyber espionage.

Researchers have also found out that StoneDrill has one target in Europe in addition to its targets in the Middle East, which also sets its apart from the two preceding similar threats. Although it is still not clear how StoneDrill spreads, the fact that it will attempt to find victims in a previously unaffected territory should be a strong signal that its authors have new goals.

Once the malware lands on the target computer, it injects its malicious code into the memory process of the victim's preferred browser. While doing this, the wiper utilizes two complicated anti-emulation techniques through which it manages to escape any security software installed on the affected machine. After that, the malware starts to destroy everything it finds on the computer's disk. Apart from the wiping function, StoneDrill also includes a backdoor that can be used for espionage purposes and that seems to be developed by the same code writers. The researchers at Kaspersky discovered four command and control panels through which and with the help of the backdoor the hackers have run cyber espionage operations. The targets of these operations, as well as their number, are still unknown.

Another interesting thing that researchers discovered about StoneDrill is that is seems connected to several other wipers, and espionage cases detected recently. StoneDrill was discovered with the help of the Yara-rules that were specifically developed to detect unknown samples of Shamoon. The two malware families are very similar in programming style, yet it is clear that StoneDrill has its own unique malicious code and has been developed separately from Shamoon. StoneDrill also shows code similarities to another malware named Charming Kitten whose campaign has been active for a few years now.

Obviously, StoneDrill has high destructive power aiming to impose the highest possible damage on infected computers, though its impact and exact goals are still unknown. The most likely hypothesis is that Shamoon and StoneDrill come from two different groups of hackers which are, however, united in having the same objectives. While Shamoon embeds Arabic-Yemen language in its code, StoneDrill has mainly Persian language resource sections. Both Iran and Yemen are participants in the conflict between Iran and Saudi Arabia, and most of the targets of Shamoon and StoneDrill are located in Saudi Arabia. Kaspersky also suggests in the report that the attackers behind StoneDrill could be connected to a group called Newcaster and that there is data they are located in Iran, just like the hackers behind Shamoon.

Good protection against these types of wiper attacks is maintaining a reliable detection strategy as many of these malware threats rely on a worm component that looks for weak login credentials and therefore could be detected through centralized reporting of failed login attempts.