The World Research and Analysis Group of the Kaspersky Lab has discovered a new, sophisticated wiper (malware that deletes files), named StoneDrill. Just like another infamous wiper, the Shamoon, destroys everything on an "infected" computer. StoneDrill also has advanced anti-detection techniques and tools espionages in his arsenal.
In addition to targets in the Middle East, a StoneDrill goal has also been discovered in Europe, where wipers used in the Middle East have not previously been found in free status.
2012, the wiper Shamoon (also known as Disttrack) caught the eye by destroying some 35.000 computers at an oil and gas company in the Middle East. This devastating attack left 10% of the world's oil supplies at potential risk. However, the incident was unique in its kind, and after that the operator ceased to operate. In late 2016, it returned in the form of Shamoon 2.0 - a much more widespread malware campaign that has been using a "heavily" malware update since 2012.
Investigating these attacks, Kaspersky Lab researchers unexpectedly detected a malicious software modeled in a similar style to Shamoon 2.0. At the same time, it was very different and more sophisticated than Shamoon. They called it StoneDrill.
StoneDrill - one wiper with interconnections
It is not yet known how StoneDrill spreads, but once it attacks the target device, it injects itself into the memory logging system of the selected program browsing of the user. During this process, it uses two sophisticated anti-emulation techniques with the aim of fooling the security solutions installed on the victim's computer. The malware then begins corrupting the computer's disk files.
So far, at least two goals of the StoneDrill wiper have been identified, one based in the Middle East and the other in Europe.
In addition to the file deletion function, Kaspersky Lab researchers have also identified a backdoor of StoneDrill, which appears to have been developed by the code makers themselves and used for espionage purposes. Experts discovered four command and control boards used by attackers to run espionage operations with StoneDrill backdoor against an unknown number of targets.
Perhaps the most interesting thing about StoneDrill is that it seems to be associated with many other wipers and espionage activities that have been observed in the past. When Kaspersky Lab researchers discovered StoneDrill with the help of Yara rules created to detect unknown samples of Shamoon, they realized that they were looking for a unique piece of malicious code that appears to have been created separately from Shamoon. Even though the two families - Shamoon and StoneDrill - do not share exactly the same code base, their creators' mentality and programming style seem to be similar. For this reason it was possible to locate StoneDrill with the Yara rules developed for Shamoon.
Similarities were also observed in the code with previously known malware but this time not between Shamoon and StoneDrill. In fact, StoneDrill uses some code sections that have been previously identified in NewsBeef APT, also known as Charming Kitten, another malware action campaign with intense action in recent years.
"Our interest in the similarities and comparisons between these three malicious activities was very large. It was the StoneDrill another malicious program that deletes files developed by the agent Shamoon; Or the StoneDrill and Shamoon are two different and unrelated groups that just happened to be targeting organizations in Saudi Arabia at the same time? Or, two teams that are separate but aligned in terms of their goals? The latter theory is the most probable: in terms of the findings we can say that while the Shamoon integrates language sections from Arabic resources, as well as resources from Yemen, the StoneDrill incorporates mainly linguistic sections of resources of Persian origin. Geopolitical analysts would probably quickly point out that both Iran and Yemen are players in the "proxy war" between Iran and Saudi Arabia, and that Saudi Arabia is the country where most of the victims were found. But of course, we do not rule out the possibility that these findings are "false flags", said David Emm, Senior Security Researcher of Kaspersky Lab.
To protect organizations from such attacks, security experts Kaspersky Lab advise the following:
- Perform a security audit of the control network (ie a security check, penetration testing, vacuum analysis) to identify and remove any security gaps. It is also recommended to review external suppliers and third-party security policies if they have direct access to the control network.
- Requesting External Information: Information from trusted suppliers helps organizations anticipate future attacks on the company's industrial infrastructure. Emergency Response Teams, such as the ICS CERT team of Kaspersky Lab, provide interprofessional information for free.
- Educate your employees, paying special attention to operational and technical staff and raising awareness of recent threats and attacks.
- Provide protection inside and outside the perimeter. A good security strategy must have significant resources to detect attack and reaction to prevent an attack before it reaches critical and critical objects.
- Evaluate advanced protection methods: including regular integrity checks for auditors, as well as specialized network monitoring to increase overall company security and reduce the likelihood of a successful violation even if some inherently vulnerable nodes can not be repaired or repaired. removed.
For more information about Shamoon 2.0 and StoneDrill, you can read the blogpost available on the dedicated website Securelist.com. More information about Shamoon's attacks can be found here here.
