March 6, 2017
Shamoon—the mysterious disk wiper that popped up out nowhere in 2012 and took out more than 35,000 computers in a Saudi Arabian-owned gas company before disappearing—is back. Its new, meaner design has been unleashed three time since November. What’s more, a new wiper developed in the same style as Shamoon has been discovered targeting a petroleum company in Europe, where wipers used in the Middle East have not previously been seen.
Researchers from Moscow-based antivirus provider Kaspersky Lab have dubbed the new wiper “StoneDrill.” They found it while they were researching the trio of Shamoon attacks, which occurred on two dates in November and one date in late January. The refurbished Shamoon 2.0 added new tools and techniques, including less reliance on outside command-and-control servers, a fully functional ransomware module, and new 32-bit and 64-bit components.
StoneDrill, meanwhile, features an impressive ability to evade detection by, among other things, forgoing the use of disk drivers during installation. To accomplish this, it injects a wiping module into the computer memory associated with the user’s preferred browser. StoneDrill also includes backdoor functions that are used for espionage purposes. Kaspersky researchers found four command-and-control panels that the attackers used to steal data from an unknown number of targets. Besides sharing code similarities with Shamoon, StoneDrill also reuses code used in an espionage campaign dubbed “NewsBeef,” which targeted organizations around the world.
“The discovery of the StoneDrill wiper in Europe is a significant sign that the group is expanding its destructive attacks outside the Middle East,” Kaspersky Lab researchers wrote in a 35-page report published Monday. “The target for the attack appears to be a large corporation with a wide area of activity in the petrochemical sector, with no apparent connection or interest in Saudi Arabia.”
The researchers still don’t know precisely what connection StoneDrill has with Shamoon. The most plausible relationship, they said, is that each belongs to two different hacking groups that are aligned in their interests. This theory is consistent with the discovery that StoneDrill contains support for Arabic-Yemen language while Shamoon contains mostly Persian language support. The Persian-speaking Iran and Yemen “are both players in the Iran-Saudi Arabia proxy conflict,” researchers noted in Monday’s report.
The researchers also noted the possibility that one or both of the embedded language sections are “false flags” intended to mislead investigators about the origins of the malware. Another possibility is that StoneDrill is a less-used wiper that’s deployed in certain situations by the same group that uses Shamoon. It’s also possible that StoneDrill and Shamoon are used by two different groups that have no connection to each other and just happened to target Saudi organizations at the same time.
StoneDrill came to the attention of Kaspersky Labs as researchers were investigating the recent wave of Shamoon attacks. Part of their probe involved the use of a malware-hunting tool known as YARA. The researchers initially thought that a detection rule they wrote uncovered a new Shamoon variant. After deeper analysis, the researchers found that the malware was a distinct, never-before-seen wiper, which they dubbed StoneDrill.
Like the Shamoon strain from 2012, the newer version quietly burrows into a targeted network so that attackers can obtain administrator credentials. Shamoon 2.0 allows the attackers to build a custom wiper that uses the credentials to spread widely inside the organization. Then, on a set date, the wiper activates and quickly leaves the infected machines completely inoperable. The final stages of the attacks are automated, a feature that eliminates the need for communication with command-and-control servers. Kaspersky Lab researchers still don’t know how StoneDrill spreads.