The IT security researchers at Kaspersky Labs have discovered a new malware targeting oil and gas companies in the Middle East and also aiming towards targets in Europe.
Dubbed StoneDrill by researchers, the malware can evade antivirus detection and destroy everything on an infected device. Kaspersky Labs discovered that StoneDrill is being used in attacks against Saudi Arabia similar to the Shamoon malware reportedly linked with Iranian government-backed hackers since 2012.
The difference between both malware is that StoneDrill is more sophisticated then Shamoon, however, its build is similar to Shamoon 2.0, a variant of Shamoon malware that made a comeback in 2016 by targeting government servers in Saudi Arabia. Also, StoneDrill and Shamoon have a different codebase yet the mindset of the authors and their programming “style” appear to be similar.
It is unclear how StoneDrill is being delivered to victims, upon infecting a device, it injects itself into the memory process of the victim’s web browser and uses two sophisticated anti-emulation techniques aimed at fooling security solutions installed on the victim machine. The malware then starts destroying the computer’s disk files. Furthermore, StoneDrill also works as a backdoor apparently for large-scale espionage campaigns and spies on an unknown number of targets using four command and control (C&C) servers.
“We were very intrigued by the similarities and comparisons between these three malicious operations,” said Mohamad Amin Hasbini, Senior Security Researcher, Global Research and Analysis Team, Kaspersky Lab. “Was StoneDrill another wiper deployed by the Shamoon actor? Or are StoneDrill and Shamoon two different and unconnected groups that just happened to target Saudi organizations at the same time? Or, two groups which are separate but aligned in their objectives? The latter theory is the most likely one: when it comes to artifacts, we can say that while Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Geopolitical analysts would probably be quick to point out that both Iran and Yemen are players in the Iran-Saudi Arabia proxy conflict, and Saudi Arabia is the country where most victims of these operations were found. But of course, we do not exclude the possibility of these artifacts being false flags.”
While Shamoon malware was delivered to victims through infected documents there are chances that StoneDrill is possibly using similar means for infecting unsuspecting users. In this regards, it is highly advisable to ignore unknown emails and avoid downloading attachments and clicking links sent from unknown senders.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.