A new, sophisticated wiper malware has been discovered in destructive campaigns against both Middle Eastern and European targets.
Wiper malware has been spotted in the wild before. In 2012, Shamoon conducted a famous attack against Saudi Aramco which resulted in the destruction of 30,000 workstations and their data.
More recently, the “Dark Seoul Gang” used wiper malware to destroy computer hard drives at South Korean banks and broadcasting facilities, as well as attack the country’s financial companies.
Similar to Shamoon — which has recently resurfaced to take on Saudi Arabian targets — but more sophisticated and dangerous, researchers from Kaspersky Labs say that the new malware strain, dubbed StoneDrill, destroys everything on infected computers but is more difficult to both detect and eradicate.
In a blog post on Monday, Kaspersky said StoneDrill was discovered after examining the newly resurrected version of Shamoon, version 2.0.
The team discovered that StoneDrill is built in a “similar” style, but questions still remain over what attack vectors the malware utilizes to infect target machines.
Once StoneDrill, however, has reached its target destination, the malicious code injects itself into the memory process of a user’s favorite browser and makes heavy use of anti-detection techniques to avoid being stopped by standard antivirus software.
By infiltrating the browser rather than drives, the malware is more likely to remain undetected for the time it needs to wipe data by overwriting both physical and logical drives with random numbers — rendering drives useless and making information impossible to recover.
The new wiper also appears to be connected with NewsBeef, an advanced, persistent threat (APT) actor known for targeting Saudi Arabia by using the Browser Exploitation Framework known as BEeF.
In addition, StoneDrill also makes use of the same WinMain signatures, backdoor commands, decryption routines, and command-and-control (C&C) center names.
While Shamoon is focused on the Middle East, StoneDrill represents the only known example of wiper malware attacking European targets. So far, at least one in each region (.PDF) has been detected.
Kaspersky Labs also discovered a StoneDrill backdoor used for spying purposes, alongside four command-and-control (C&C) panels used to run and monitor destructive campaigns.
“We were very intrigued by the similarities and comparisons between these three malicious operations,” said Mohamad Amin Hasbini, Senior security researcher of the Kaspersky Global Research and Analysis Team. “Was StoneDrill another wiper deployed by the Shamoon actor? Or are StoneDrill and Shamoon two different and unconnected groups that just happened to target Saudi organizations at the same time? Or, two groups which are separate but aligned in their objectives?.”
“StoneDrill embeds mostly Persian resource language sections,” Hasbini added. “Geopolitical analysts would probably be quick to point out that both Iran and Yemen are players in the Iran-Saudi Arabia proxy conflict, and Saudi Arabia is the country where most victims of these operations were found. But of course, we do not exclude the possibility of these artifacts being false flags.”
Read on: Soon, you can buy gadgets that self-destruct when stolen