A newly identified disk-wiping malware known as StoneDrill has emerged, targeting a petroleum company in Europe. This malware bears similarities to the infamous Shamoon, which notoriously deleted data from 35,000 computers at Saudi Arabia’s national oil company back in 2012.
Disk-wiping malware like StoneDrill can inflict severe damage on organizations by permanently erasing all data on affected systems, including hard drives and external storage devices. Such attacks can lead to significant financial losses and harm to an organization’s reputation.
Security experts from Kaspersky Lab, a Moscow-based antivirus provider, discovered StoneDrill while investigating the resurgence of Shamoon, also referred to as Shamoon 2.0. This advanced version of the original malware was responsible for attacking numerous entities, wiping data, and hijacking the boot records of computers, thereby preventing them from rebooting.
Researchers report that while StoneDrill is modeled in the same “style” as Shamoon 2.0, it does not share the same underlying code. They noted that the attack targeted a significant entity within the petrochemical industry, indicating that the threat group behind StoneDrill is expanding its operations beyond the Middle East.
The capability for disk wiping has evolved with StoneDrill, as this malware operates as a service designed to exploit all systems within an organization connected to a Windows domain. It propagates by utilizing a collection of hard-coded, previously compromised usernames and passwords of domain administrators.
Once a system is infected, StoneDrill autonomously creates a tailored wiper malware module, not requiring a connection to any command-and-control server, resulting in the complete inoperability of the compromised machines. The malware incorporates sophisticated evasion techniques, skillfully avoiding detection and sidestepping sandbox environments. Unlike Shamoon, StoneDrill eschews disk drivers during installation, relying instead on memory injection of the wiping module into the victim’s web browser.
StoneDrill further enhances its stealth through the use of Visual Basic Scripts for self-deletion, which is a deviation from Shamoon’s operational tactics. In addition, this new malware features backdoor functions that can facilitate espionage activities, such as taking screenshots and exfiltrating data through four identified command-and-control servers.
One noteworthy aspect of StoneDrill is its potential ransomware component, albeit currently inactive. This feature suggests future opportunities for attackers to extort organizations for financial gain or ideological motives, paralleling the tactics employed by Shamoon 2.0.
This discovery underscores a significant evolution in cyber threats targeting organizations, as StoneDrill predominantly aimed at entities in Saudi Arabia while also extending its reach to victims in Europe. The implications of this malware’s capabilities necessitate vigilance among business owners, particularly in sectors vulnerable to such cyber attacks.
In light of these developments, organizations should consider the MITRE ATT&CK framework to evaluate potential adversary tactics likely employed in similar attacks, including initial access, persistence, and privilege escalation. For deeper insights into the technical intricacies of both StoneDrill and Shamoon 2.0, interested parties may refer to Kaspersky’s official blog.