Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Shamoon-Linked “StoneDrill” Malware Allows Spying, Destruction

Researchers at Kaspersky Lab have come across a new and sophisticated piece of malware that can be used for both cyber espionage and wiping an infected computer’s storage.

Researchers at Kaspersky Lab have come across a new and sophisticated piece of malware that can be used for both cyber espionage and wiping an infected computer’s storage.

Dubbed “StoneDrill,” the malware has been linked to the notorious Shamoon 2 and Charming Kitten, aka Newscaster and NewsBeef, a threat actor believed to be located in Iran.

The security firm has observed the threat being used in attacks aimed at entities in Saudi Arabia and one organization in Europe. Unlike in the case of Shamoon, which is known to have caused significant damage to oil giant Saudi Aramco, there are no reports of damaging attacks involving StoneDrill.

Kaspersky Lab discovered StoneDrill using Yara rules created in an effort to identify unknown samples of Shamoon, aka Disttrack. Shamoon and StoneDrill don’t have the same codebase, but researchers said their authors’ programming style and mindset are similar.

While it’s unclear exactly how StoneDrill has been delivered to victims, once it infects a machine, the malware injects itself into the web browser process and uses sophisticated techniques designed for evading security products.

The threat targets both physical and logical drives, and reboots the system once the wipe process is completed. Researchers pointed out that the wiper functionality in StoneDrill has been implemented using a new technique.

Kaspersky has also identified a StoneDrill sample designed to act as a backdoor, likely for espionage operations. Researchers have identified four command and control (C&C) servers used for spying on an unknown number of targets.

While there are similarities between StoneDrill and Shamoon, such as the October-November 2016 sample compilation dates and the fact that both store their payload inside encrypted resources, there are some significant differences. For instance, Shamoon doesn’t use advanced evasion techniques, it doesn’t rely on external scripts, and it leverages drivers instead of memory injections.

Advertisement. Scroll to continue reading.

Furthermore, StoneDrill uses C&C communications, which allows the attackers to interact with the malware instead of having to use a “kill time” as in the Shamoon attacks.

On the other hand, Kaspersky said StoneDrill seems more similar to a piece of malware used in APT campaigns attributed to Charming Kitten. Researchers discovered similarities in code, C&C naming conventions, backdoor commands and functionality, and Winmain signatures. In fact, StoneDrill appears to be an evolution of Charming Kitten malware.

StoneDrill, Shamoon, Charming Kitten similarities and differences

While it is possible that StoneDrill is just another wiper used by the Shamoon actor, a more likely scenario, according to Kaspersky, is that these are separate groups with largely the same objectives.

“When it comes to artefacts we can say that while Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Geopolitical analysts would probably be quick to point out that both Iran and Yemen are players in the Iran-Saudi Arabia proxy conflict, and Saudi Arabia is the country where most victims of these operations were found,” explained Kaspersky’s Mohamad Amin Hasbini. “But of course, we do not exclude the possibility of these artefacts being false flags.”

Shamoon, which had been delivered to victims via weaponized documents, has been linked to several groups believed to be operating out of Iran. Symantec reported recently that the threat actor behind the Shamoon attacks may have been aided by the groups tracked as Magic Hound (aka Timberworm and COBALT GYPSY) and Greenbug. These groups have been connected to both Charming Kitten and Rocket Kitten.

Related: Shamoon 2 Variant Targets Virtualization Products

Related: Iranian Spies Target Saudi Arabia in “Magic Hound” Attacks

Related: Iranian Hackers Use Mac Malware to Steal Data

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...