A new strain of “wiper” malware has been discovered targeting devices across the Middle East and Europe.
Researchers at Kaspersky Lab said they made the discovery when looking into the re-emergence of the similar Shamoon malware, which wiped 35,000 computers belonging to a Saudi Arabian oil and gas company in 2012. After that event Shamoon went quiet, but returned at the end of 2016.
Kaspersky said that it was when researching Shamoon 2.0, it discovered “a very different and more sophisticated” wiper malware it has dubbed StoneDrill.
Once installed, StoneDrill injects itself into the memory process of the user’s browser. From there it uses a couple of anti-emulation techniques to avoid detection and begins to destroy files on the victim’s hard drive.
It also contains elements of cyber-espionage. Researchers discovered four command and control panels used by the attackers for spying on unknown targets.
So far Kaspersky researchers have identified two victims of StoneDrill - one in the Middle East and the other in Europe. The discovery of a victim in Europe is interesting, as it suggests whoever is behind it is expanding its scope to targets beyond the Middle East.
There are several similarities between Shamoon 2.0 and StoneDrill, primarily in terms of the time frame of the attack and the targets. The are however several differences between the two: StoneDrill uses advanced evasion techniques, external scripts and injects directly into the victim’s browser; Shamoon 2.0 does none of those.
Kaspersky researchers therefore believe that the two were created by “different groups which are aligned in their interests”, rather than there being any direct link between the two. There are however interesting similarities between StoneDrill and NewsBeef APT - the newer malware uses some parts of the code previously associated with NewsBeef, and both have targeted Saudi companies.
“We were very intrigued by the similarities and comparisons between these three malicious operations. Was StoneDrill another wiper deployed by the Shamoon actor? Or are StoneDrill and Shamoon two different and unconnected groups that just happened to target Saudi organizations at the same time? Or, two groups which are separate but aligned in their objectives?” said Mohamad Amin Hasbini, Senior Security Researcher, Global Research and Analysis Team, Kaspersky Lab.
“The latter theory is the most likely one: when it comes to artefacts we can say that while Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Geopolitical analysts would probably be quick to point out that both Iran and Yemen are players in the Iran-Saudi Arabia proxy conflict, and Saudi Arabia is the country where most victims of these operations were found. But of course, we do not exclude the possibility of these artefacts being false flags,” he added.