The experts spotted a new sophisticated strain of malware dubbed StoneDrill that is linked to Shamoon 2 and Charming Kitten.
Researchers at Kaspersky Lab have discovered further information about the dreaded Shamoon 2 malware. The experts spotted a new sophisticated strain of malware dubbed StoneDrill that is linked to Shamoon 2 and Charming Kitten (aka Newscaster and NewsBeef). StoneDrill can be used for both cyber espionage and sabotage, like Shamoon it wipes the infected computer.
The malware was used by threat actors against entities in Saudi Arabia and at least one organization in Europe.
“While investigating the Shamoon 2.0 attacks, Kaspersky Lab also discovered a previously unknown wiper malware which appears to be targeting organizations in Saudi Arabia. We’re calling this new wiper StoneDrill. StoneDrill has several “style” similarities to Shamoon, with multiple interesting factors and techniques to allow for the better evasion of detection.” reads the analysis shared by Kaspersky Lab. “In addition to suspected Saudi targets, one victim of StoneDrill was observed on the Kaspersky Security Network (KSN) in Europe. This makes us believe the threat actor behind StoneDrill is expanding its wiping operations from the Middle East to Europe.”
At the time the report was published by Kaspersky, there are no reports of StoneDrill attacks that caused damage.
The discovery of the new threat was causal, researchers were using a set of Yara rules developed to identify the Shamoon malware.
Even if StoneDrill and Shamoon don’t share portions of code, the experts discovered many similarities between malware styles and malware components in Shamoon, StoneDrill, and NewsBeef.
The researchers are still investigating the infection process, they confirmed that StoneDrill implements sophisticated techniques to evade security applications.
While Shamoon uses drivers during deployment, StoneDrill implements memory injection mechanisms of the wiping module into the victim’s browser.
The wiper feature has been implemented using a new technique.
The wiper is able to target both physical and logical drives and reboots the system once the wipe process is completed.
“Depending on the configuration, this module wipes with random data one of following possible targets:
All accessible physical drives by using the device path “\\.\PhysicalDrive”
All accessible logical drives by using device path “\\.\X:”
Recursively wipes and deletes files in all folders except “Windows” on all accessible logical drives
Places a special emphasis on wiping files named “asdhgasdasdwqe%digits%” in the root folder of the disk.
The researchers at Kaspersky have detected a StoneDrill sample that was specifically designed to establish a backdoor on the infected system. The sample was likely developed for espionage purposes.
The experts identified four C&C servers used in cyber espionage activities, this means that StoneDrill uses C&C communications to receive instructions from attackers.
Researchers discovered that StoneDrill has many similarities (code, C&C naming conventions, backdoor commands and functionality, and Winmain signatures) to a strain of malware used by Charming Kitten.
For this reason, it is considered an evolution of the Charming Kitten malware.
Is there the same threat behind StoneDrill and Shamoon threats?
According to the experts from Kaspersky, there are two separate groups behind the threat that anyway share the same objectives.
“While Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Of course, we do not exclude the possibility of false flags.” reads the report.
The last variant of the Shamoon malware that targeted organizations in Saudi Arabia also includes a newly discovered ransomware component.
According to the experts, the ransomware component of Shamoon 2 has yet to be used in the wild.
“Despite the widespread coverage of the resurgence of the Shamoon wiper, few have noted the new ransomware functionality. The wiper module of Shamoon 2.0 has been designed to run as either a wiper or an encryptor (ransomware). ” reads the Kaspersky’s analysis. “In the “encryption/ransomware” mode, a weak pseudo-random RC4 key is generated, which is further encrypted by the RSA public key and stored directly on the hard drive (at <\Device\Harddisk0\Partition0>) starting at offset 0x201, right after the master boot record”