Kaspersky Lab's Global Research and Analysis Team has discovered a new, sophisticated wiper (malware-deleting files) called StoneDrill. Just like another notorious wiper, the Shamoon, destroys what's on an "infected" computer. StoneDrill also has advanced anti-detection techniques and spy tools in its arsenal.
In addition to targets in the Middle East, a StoneDrill goal has also been discovered in Europe, where wipers used in the Middle East have not previously been found in free status.
2012, the wiper Shamoon (also known as Disttrack) gained attention by destroying approximately 35.000 computers at an oil and gas company in the Middle East. This devastating attack left 10% of the world's oil supplies at potential risk. However, the incident was unique in its kind, and after that the carrier stopped it mode of. In late 2016, it returned in the form of Shamoon 2.0 – a considerably more extensive malware campaign using a "heavily" updated version of the malware from 2012.
Investigating these attacks, Kaspersky Lab researchers unexpectedly detected a malware modeled in a similar style to Shamoon 2.0. At the same time, it was very different and more sophisticated than Shamoon. They called it StoneDrill.
StoneDrill - one wiper with interconnections
It is not yet known how StoneDrill spreads, but once it attacks the target device, it injects itself into the memory logging system of the user's selected browser. During this process, he uses two sophisticated anti-emulation techniques to deceive the security solutions installed on the victim's computer. The malware then starts destroying the files on the computer disk.
So far, at least two goals of the StoneDrill wiper have been identified, one based in the Middle East and the other in Europe.
In addition to the file deletion function, Kaspersky Lab researchers have also identified a backdoor of StoneDrill, which appears to have been developed by the code makers themselves and used for espionage purposes. Experts discovered four command and control boards used by attackers to run espionage operations with StoneDrill backdoor against an unknown number of targets.
Perhaps the most interesting thing about StoneDrill is that it seems to be associated with many other wipers and espionage activities that have been observed in the past. When Kaspersky Lab researchers discovered StoneDrill with the help of Yara rules created to detect unknown samples of Shamoon, they realized that they were looking for a unique piece of malicious code that appears to have been created separately from Shamoon. Even though the two families - Shamoon and StoneDrill - do not share exactly the same code base, their creators' mentality and programming style seem to be similar. For this reason it was possible to locate StoneDrill with the Yara rules developed for Shamoon.
Similarities were also observed in the code with previously known malware but this time not between Shamoon and StoneDrill. In fact, StoneDrill uses some code sections that have been previously identified in NewsBeef APT, also known as Charming Kitten, another malware action campaign with intense action in recent years.
"Our interest in the similarities and comparisons between these three malicious activities was very large. It was the StoneDrill another malicious program that deletes files developed by the agent Shamoon; Or the StoneDrill and Shamoon are two different and unrelated groups that just happened to be targeting organizations in Saudi Arabia at the same time? Or, two teams that are separate but aligned in terms of their goals? The latter theory is the most probable: in terms of the findings we can say that while the Shamoon integrates language sections from Arabic resources, as well as resources from Yemen, the StoneDrill incorporates mainly linguistic sections of resources of Persian origin. Geopolitical analysts would probably quickly point out that both Iran and Yemen are players in the "proxy war" between Iran and Saudi Arabia, and that Saudi Arabia is the country where most of the victims were found. But of course, we do not rule out the possibility that these findings are "false flags", said David Emm, Senior Security Researcher at Kaspersky Lab.
To protect organizations from such attacks, security experts Kaspersky Lab advise the following:
- Conduct a security assessment of the control network (ie, a security audit, penetration testing, gap analysis) to identify and address any gaps security. It is also recommended to review external vendors and third party security policies in case they have direct access to the control network.
- Seek external Intelligence: information from trusted vendors helps organizations anticipate future attacks on the company's industrial infrastructure. Emergency response teams need, such as Kaspersky Lab's ICS CERT team, provide cross-professional Information for free.
- Educate your employees, paying special attention to operational and technical staff and raising awareness of recent threats and attacks.
- Provide protection inside and outside the perimeter. A good security strategy must have significant resources to detect attack and reaction to prevent an attack before it reaches critical and critical objects.
- Evaluate advanced protection methods: including regular integrity checks for controllers, as well as specialized monitoring of the network to increase the overall security of the company and reduce the chances of a successful breach, even if some inherently vulnerable nodes cannot be patched or removed.
For more information about Shamoon 2.0 and StoneDrill, you can read the blogpost available on the Securelist.com website. More information about Shamoon attacks can be found here.
