Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Shamoon-Linked “StoneDrill” Malware Allows Spying, Destruction

Researchers at Kaspersky Lab have come across a new and sophisticated piece of malware that can be used for both cyber espionage and wiping an infected computer’s storage.

Researchers at Kaspersky Lab have come across a new and sophisticated piece of malware that can be used for both cyber espionage and wiping an infected computer’s storage.

Dubbed “StoneDrill,” the malware has been linked to the notorious Shamoon 2 and Charming Kitten, aka Newscaster and NewsBeef, a threat actor believed to be located in Iran.

The security firm has observed the threat being used in attacks aimed at entities in Saudi Arabia and one organization in Europe. Unlike in the case of Shamoon, which is known to have caused significant damage to oil giant Saudi Aramco, there are no reports of damaging attacks involving StoneDrill.

Kaspersky Lab discovered StoneDrill using Yara rules created in an effort to identify unknown samples of Shamoon, aka Disttrack. Shamoon and StoneDrill don’t have the same codebase, but researchers said their authors’ programming style and mindset are similar.

While it’s unclear exactly how StoneDrill has been delivered to victims, once it infects a machine, the malware injects itself into the web browser process and uses sophisticated techniques designed for evading security products.

The threat targets both physical and logical drives, and reboots the system once the wipe process is completed. Researchers pointed out that the wiper functionality in StoneDrill has been implemented using a new technique.

Kaspersky has also identified a StoneDrill sample designed to act as a backdoor, likely for espionage operations. Researchers have identified four command and control (C&C) servers used for spying on an unknown number of targets.

Advertisement. Scroll to continue reading.

While there are similarities between StoneDrill and Shamoon, such as the October-November 2016 sample compilation dates and the fact that both store their payload inside encrypted resources, there are some significant differences. For instance, Shamoon doesn’t use advanced evasion techniques, it doesn’t rely on external scripts, and it leverages drivers instead of memory injections.

Furthermore, StoneDrill uses C&C communications, which allows the attackers to interact with the malware instead of having to use a “kill time” as in the Shamoon attacks.

On the other hand, Kaspersky said StoneDrill seems more similar to a piece of malware used in APT campaigns attributed to Charming Kitten. Researchers discovered similarities in code, C&C naming conventions, backdoor commands and functionality, and Winmain signatures. In fact, StoneDrill appears to be an evolution of Charming Kitten malware.

StoneDrill, Shamoon, Charming Kitten similarities and differences

While it is possible that StoneDrill is just another wiper used by the Shamoon actor, a more likely scenario, according to Kaspersky, is that these are separate groups with largely the same objectives.

“When it comes to artefacts we can say that while Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Geopolitical analysts would probably be quick to point out that both Iran and Yemen are players in the Iran-Saudi Arabia proxy conflict, and Saudi Arabia is the country where most victims of these operations were found,” explained Kaspersky’s Mohamad Amin Hasbini. “But of course, we do not exclude the possibility of these artefacts being false flags.”

Shamoon, which had been delivered to victims via weaponized documents, has been linked to several groups believed to be operating out of Iran. Symantec reported recently that the threat actor behind the Shamoon attacks may have been aided by the groups tracked as Magic Hound (aka Timberworm and COBALT GYPSY) and Greenbug. These groups have been connected to both Charming Kitten and Rocket Kitten.

Related: Shamoon 2 Variant Targets Virtualization Products

Related: Iranian Spies Target Saudi Arabia in “Magic Hound” Attacks

Related: Iranian Hackers Use Mac Malware to Steal Data

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...