Europe and Middle East has been the target of a new strain of “wiper” malware as per researchers from Kaspersky Lab. They discovery was made when they were trying to look into the re-emergence of the new Shamoon malware. Shamoon was linked to wiping out 35,000 computers belonging to a Saudi Arabian oil and gas company last 2012 and 2016.
During the process of researching Shamoon ver 2.0, they have stumbled upon a totally different and sophisticated wiper malware they have dubbed StoneDrill.
StoneDrill injects itself into the memory process of a user’s browser once int has install on victim’s computer. A couple of anti-emulation methodologies and techniques are used to avoid detection and eventually begins to destroy files on the hard drive.
Embedded on its coding are elements of cyber-espionage. Command and control panel elements are used by the attackers for spying on unknown targets.
There are two confirmed victims of StoneDrill – one from the Middle East and another from Europe. Interesting enough, this suggests that the developer is trying to expand its scope of targets in the future.
Similarities have been found between StoneDrill and Shamoon 2.0 in terms of attack time frame and targets. Main difference is that StoneDrill is much more advanced in terms of evasion techniques and external scripts and injection techniques done to the victims browser and on the other hand, Shamoon 2.0 does not possess any of those characteristics.
It is hypothesized that the two were created by two different groups which have similar intentions and interests rather than there being any direct link between the two.
It is interesting that there are similarities between StoneDrill and NewsBeef APT. StoneDrill utilizes parts of the the code associated with NewsBeef and both have targeted Saudi companies.
It is an enigma that they seem to be similar in some ways between these wiper malware variants. Is it connected the way they move and target Saudi companies? Is there a rhyme or reason for all of these?
“When it comes to artifacts we can say that while Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Geopolitical analysts would probably be quick to point out that both Iran and Yemen are players in the Iran-Saudi Arabia proxy conflict, and Saudi Arabia is the country where most victims of these operations were found. But of course, we do not exclude the possibility of these artifacts being false flags,”