StoneDrill advanced, destructive malware free on the Internet

The World Research and Analysis Group of the έχει ανακαλύψει ένα νέο, εξελιγμένο wiper (malware που διαγράφει ), named StoneDrill. Just like another infamous wiper, the Shamoon, destroys what's on an "infected" computer. StoneDrill also has advanced anti-detection techniques and spy tools in its arsenal.

In addition to targets in the Middle East, a StoneDrill goal has also been discovered in Europe, where wipers used in the Middle East have not previously been found in free status.

2012, the wiper Shamoon (also known as Disttrack) pulled her καταστρέφοντας περίπου 35.000 υπολογιστές σε μια εταιρεία πετρελαίου και φυσικού αερίου στη Μέση Ανατολή. Αυτή η καταστροφική επίθεση άφησε το 10% των προμηθειών πετρελαίου παγκοσμίως σε δυνητικό κίνδυνο. Ωστόσο, το περιστατικό ήταν μοναδικό στο είδος του, και μετά από αυτό ο φορέας έπαψε τη λειτουργία του. Στα τέλη του 2016, επέστρεψε με τη μορφή Shamoon 2.0 – μια αρκετά πιο εκτεταμένη κακόβουλη εκστρατεία που μια «βαρέως» ενημερωμένη έκδοση του software since 2012.StoneDrill

Investigating these , Kaspersky Lab researchers unexpectedly detected a malware modeled in a similar style to Shamoon 2.0. At the same time, it was very different and more sophisticated than Shamoon. They called it StoneDrill.

StoneDrill - one wiper with interconnections

Δεν είναι ακόμη γνωστό πώς διαδίδεται το StoneDrill, αλλά μόλις επιτεθεί στην συσκευή-στόχο,  το ίδιο εγχέεται στο σύστημα καταγραφής της μνήμης του επιλεγμένου προτος περιήγησης του χρήστη. Κατά τη διάρκεια αυτής της διαδικασίας, χρησιμοποιεί δύο εξελιγμένες τεχνικές αντί-εξομοίωσης με στόχο να ξεγελάσει τις λύσεις ασφάλειας που είναι εγκατεστημένες στον υπολογιστή του θύματος. Το κακόβουλο λογισμικό στη συνέχεια ξεκινά την καταστροφή των of the computer disk.

So far, at least two goals of the StoneDrill wiper have been identified, one based in the Middle East and the other in Europe.

In addition to the file deletion function, Kaspersky Lab researchers have also identified a backdoor of StoneDrill, which appears to have been developed by the code makers themselves and used for espionage purposes. Experts discovered four command and control boards used by attackers to run espionage operations with StoneDrill backdoor against an unknown number of targets.

Perhaps the most interesting fact about StoneDrill is that it appears to be linked to many other wipers and spyware seen in the past. When Kaspersky Lab researchers discovered StoneDrill with the help of Yara rules created to detect unknown Shamoon samples, they realized they were looking for a unique com του κακόβουλου κώδικα που φαίνεται να έχει δημιουργηθεί χωριστά από το Shamoon. Ακόμα κι αν οι δύο οικογένειες – Shamoon και StoneDrill – δεν μοιράζονται την ίδια ακριβώς βάση κώδικα, η νοοτροπία των δημιουργών τους και το ύφος προγραμματισμού  τους φαίνεται να είναι παρόμοια. Για τον λόγο αυτό ήταν και δυνατόν να εντοπιστεί το StoneDrill με τους κανόνες Yara που είχαν αναπτυχθεί για το Shamoon.

Similarities were also observed in the code with previously known malware but this time not between Shamoon and StoneDrill. In fact, StoneDrill uses some code sections that have been previously identified in NewsBeef APT, also known as Charming Kitten, another malware action campaign with intense action in recent years.

"Our interest in the similarities and comparisons between these three malicious activities was very large. It was the StoneDrill another malicious program that deletes files developed by the agent Shamoon; Or the StoneDrill and Shamoon are two different and unrelated groups that just happened to be targeting organizations in Saudi Arabia at the same time? Or, two teams that are separate but aligned in terms of their goals? The latter theory is the most probable: in terms of the findings we can say that while the Shamoon integrates language sections from Arabic resources, as well as resources from Yemen, the StoneDrill incorporates mainly linguistic sections of resources of Persian origin. Geopolitical analysts would probably quickly point out that both Iran and Yemen are players in the "proxy war" between Iran and Saudi Arabia, and that Saudi Arabia is the country where most of the victims were found. But of course, we do not rule out the possibility that these findings are "false flags", said David Emm, Senior Security Researcher at Kaspersky Lab.

To protect organizations from such attacks, security experts Kaspersky Lab advise the following:

  • Να πραγματοποιούν αξιολόγηση ασφάλειας του δικτύου ελέγχου (δηλαδή, έναν έλεγχο ασφάλειας, , ανάλυση κενού) για τον εντοπισμό και την απομάκρυνση τυχόν κενών ασφαλείας. Επίσης, συνίσταται η επανεξέταση των εξωτερικών προμηθευτών και των πολιτικών ασφαλείας τρίτων σε περίπτωση που έχουν άμεση πρόσβαση στο δίκτυο ελέγχου.
  • Να ζητάνε εξωτερική Πληροφόρηση: η πληροφόρηση από αξιόπιστους βοηθά τους οργανισμούς να προβλέψουν τις μελλοντικές επιθέσεις στη βιομηχανική υποδομή της εταιρείας. Οι ομάδες αντιμετώπισης καταστάσεων έκτακτης ανάγκης, όπως η ομάδα ICS CERT της Kaspersky Lab, παρέχουν διεπαγγελματική Πληροφόρηση .
  • Educate your employees, paying special attention to operational and technical staff and raising awareness of recent threats and attacks.
  • Provide protection inside and outside the perimeter. A good security strategy must have significant resources to detect attack and reaction to prevent an attack before it reaches critical and critical objects.
  • Evaluate advanced protection methods: including regular integrity checks for auditors, as well as specialized network monitoring to increase overall company security and reduce the likelihood of a successful violation even if some inherently vulnerable nodes can not be repaired or repaired. removed.

For more information about Shamoon 2.0 and StoneDrill, you can read the blogpost available on the website. More information about Shamoon attacks can be found here. The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).