Malware

Kaspersky Lab discovered a new sophisticated Shamoon-Linked malware dubbed StoneDrill

The experts spotted a new sophisticated strain of malware dubbed StoneDrill that is linked to Shamoon 2 and Charming Kitten.

Researchers at Kaspersky Lab have discovered further information about the dreaded Shamoon 2 malware. The experts spotted a new sophisticated strain of malware dubbed StoneDrill that is linked to Shamoon 2 and Charming Kitten (aka Newscaster and NewsBeef). StoneDrill can be used for both cyber espionage and sabotage, like Shamoon it wipes the infected computer.

The malware was used by threat actors against entities in Saudi Arabia and at least one organization in Europe.

“While investigating the Shamoon 2.0 attacks, Kaspersky Lab also discovered a previously unknown wiper malware which appears to be targeting organizations in Saudi Arabia. We’re calling this new wiper StoneDrill. StoneDrill has several “style” similarities to Shamoon, with multiple interesting factors and techniques to allow for the better evasion of detection.” reads the analysis shared by Kaspersky Lab. “In addition to suspected Saudi targets, one victim of StoneDrill was observed on the Kaspersky Security Network (KSN) in Europe. This makes us believe the threat actor behind StoneDrill is expanding its wiping operations from the Middle East to Europe.”

StoneDrillStoneDrill

At the time the report was published by Kaspersky, there are no reports of StoneDrill attacks that caused damage.

The discovery of the new threat was causal, researchers were using a set of Yara rules developed to identify the Shamoon malware.

Even if StoneDrill and Shamoon don’t share portions of code, the experts discovered many similarities between malware styles and malware components in Shamoon, StoneDrill, and NewsBeef.

The researchers are still investigating the infection process, they confirmed that StoneDrill implements sophisticated techniques to evade security applications.

While Shamoon uses drivers during deployment, StoneDrill implements memory injection mechanisms of the wiping module into the victim’s browser.

The wiper feature has been implemented using a new technique.

The wiper is able to target both physical and logical drives and reboots the system once the wipe process is completed.

“Depending on the configuration, this module wipes with random data one of following possible targets:

  • All accessible physical drives by using the device path “\\.\PhysicalDrive”
  • All accessible logical drives by using device path “\\.\X:”
  • Recursively wipes and deletes files in all folders except “Windows” on all accessible logical drives
  • Places a special emphasis on wiping files named “asdhgasdasdwqe%digits%” in the root folder of the disk.

The researchers at Kaspersky have detected a StoneDrill sample that was specifically designed to establish a backdoor on the infected system. The sample was likely developed for espionage purposes.

The experts identified four C&C servers used in cyber espionage activities, this means that StoneDrill uses C&C communications to receive instructions from attackers.

Researchers discovered that StoneDrill has many similarities (code, C&C naming conventions, backdoor commands and functionality, and Winmain signatures) to a strain of malware used by Charming Kitten.

For this reason, it is considered an evolution of the Charming Kitten malware.

Is there the same threat behind StoneDrill and Shamoon threats?

According to the experts from Kaspersky, there are two separate groups behind the threat that anyway share the same objectives.

“While Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Of course, we do not exclude the possibility of false flags.” reads the report.

The last variant of the Shamoon malware that targeted organizations in Saudi Arabia also includes a newly discovered ransomware component.

According to the experts, the ransomware component of Shamoon 2 has yet to be used in the wild.

“Despite the widespread coverage of the resurgence of the Shamoon wiper, few have noted the new ransomware functionality. The wiper module of Shamoon 2.0 has been designed to run as either a wiper or an encryptor (ransomware). ” reads the Kaspersky’s analysis. “In the “encryption/ransomware” mode, a weak pseudo-random RC4 key is generated, which is further encrypted by the RSA public key and stored directly on the hard drive (at <\Device\Harddisk0\Partition0>) starting at offset 0x201, right after the master boot record”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Shamoon 2, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Czech Republic accuses China’s APT31 of a cyberattack on its Foreign Ministry

The Czech government condemned China after linking cyber espionage group APT31 to a cyberattack on…

4 hours ago

New PumaBot targets Linux IoT surveillance devices

PumaBot targets Linux IoT devices, using SSH brute-force attacks to steal credentials, spread malware, and…

8 hours ago

App Store Security: Apple stops $2B in fraud in 2024 alone, $9B over 5 years

Apple blocked over $9B in fraud in 5 years, including $2B in 2024, stopping scams…

9 hours ago

Crooks use a fake antivirus site to spread Venom RAT and a mix of malware

Researchers found a fake Bitdefender site spreading the Venom RAT by tricking users into downloading…

13 hours ago

Iranian Man pleaded guilty to role in Robbinhood Ransomware attacks<gwmw style="display:none;"></gwmw>

Iranian man pleads guilty to role in Baltimore ransomware attack tied to Robbinhood, admitting to…

14 hours ago

DragonForce operator chained SimpleHelp flaws to target an MSP and its customers

Sophos warns that a DragonForce ransomware operator chained three vulnerabilities in SimpleHelp to target a…

1 day ago