Security Experts:

Shamoon-Linked "StoneDrill" Malware Allows Spying, Destruction

Researchers at Kaspersky Lab have come across a new and sophisticated piece of malware that can be used for both cyber espionage and wiping an infected computer’s storage.

Dubbed “StoneDrill,” the malware has been linked to the notorious Shamoon 2 and Charming Kitten, aka Newscaster and NewsBeef, a threat actor believed to be located in Iran.

The security firm has observed the threat being used in attacks aimed at entities in Saudi Arabia and one organization in Europe. Unlike in the case of Shamoon, which is known to have caused significant damage to oil giant Saudi Aramco, there are no reports of damaging attacks involving StoneDrill.

Kaspersky Lab discovered StoneDrill using Yara rules created in an effort to identify unknown samples of Shamoon, aka Disttrack. Shamoon and StoneDrill don’t have the same codebase, but researchers said their authors’ programming style and mindset are similar.

While it’s unclear exactly how StoneDrill has been delivered to victims, once it infects a machine, the malware injects itself into the web browser process and uses sophisticated techniques designed for evading security products.

The threat targets both physical and logical drives, and reboots the system once the wipe process is completed. Researchers pointed out that the wiper functionality in StoneDrill has been implemented using a new technique.

Kaspersky has also identified a StoneDrill sample designed to act as a backdoor, likely for espionage operations. Researchers have identified four command and control (C&C) servers used for spying on an unknown number of targets.

While there are similarities between StoneDrill and Shamoon, such as the October-November 2016 sample compilation dates and the fact that both store their payload inside encrypted resources, there are some significant differences. For instance, Shamoon doesn’t use advanced evasion techniques, it doesn’t rely on external scripts, and it leverages drivers instead of memory injections.

Furthermore, StoneDrill uses C&C communications, which allows the attackers to interact with the malware instead of having to use a “kill time” as in the Shamoon attacks.

On the other hand, Kaspersky said StoneDrill seems more similar to a piece of malware used in APT campaigns attributed to Charming Kitten. Researchers discovered similarities in code, C&C naming conventions, backdoor commands and functionality, and Winmain signatures. In fact, StoneDrill appears to be an evolution of Charming Kitten malware.

StoneDrill, Shamoon, Charming Kitten similarities and differences

While it is possible that StoneDrill is just another wiper used by the Shamoon actor, a more likely scenario, according to Kaspersky, is that these are separate groups with largely the same objectives.

“When it comes to artefacts we can say that while Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Geopolitical analysts would probably be quick to point out that both Iran and Yemen are players in the Iran-Saudi Arabia proxy conflict, and Saudi Arabia is the country where most victims of these operations were found,” explained Kaspersky’s Mohamad Amin Hasbini. “But of course, we do not exclude the possibility of these artefacts being false flags.”

Shamoon, which had been delivered to victims via weaponized documents, has been linked to several groups believed to be operating out of Iran. Symantec reported recently that the threat actor behind the Shamoon attacks may have been aided by the groups tracked as Magic Hound (aka Timberworm and COBALT GYPSY) and Greenbug. These groups have been connected to both Charming Kitten and Rocket Kitten.

Related: Shamoon 2 Variant Targets Virtualization Products

Related: Iranian Spies Target Saudi Arabia in "Magic Hound" Attacks

Related: Iranian Hackers Use Mac Malware to Steal Data

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.