Kaspersky Lab discovers new disk-wiping malware Kaspersky Lab discovers new disk-wiping malware
Researchers say they stumbled across it while chasing another disk-wiping malware called Shamoon 2.0. Kaspersky Lab discovers new disk-wiping malware

Securing the world against malware is a big job, but the people over at Kaspersky Lab are on the job. Just this week, researchers at the company discovered a new malware that’s capable of wiping entire hard disks, even in this age of enterprise-grade endpoint security software.

They are calling it StoneDrill, and unveiled its existence in a press release sent out earlier this week. The researchers say it has only been found on two machines so far – one in the Middle East, and one in Europe – and that they actually stumbled across it while chasing another malware called Shamoon 2.0.

While the manner in which this new malware propagates itself is still unknown, apparently it operates in a fashion similar to Shamoon, while also being “very different and more sophisticated”.

Regarding how it works, the release says “Once on the attacked machine it injects itself into the memory process of the user’s preferred browser. During this process [StoneDrill] uses two sophisticated anti-emulation techniques aimed at fooling security solutions installed on the victim machine. The malware then starts destroying the computer’s disc files.”

The researchers also discovered a StoneDrill back door, which they say appears to have been created by the same coders. Back doors are incredibly dangerous as they open compromised systems to espionage.

“Experts discovered four command and control panels which were used by attackers to run espionage operations with help of the StoneDrill backdoor against an unknown number of targets,” the release says.

The researchers noted that StoneDrill “…appears to have connections to several other wipers and espionage operations observed previously”, which they discovered using a tool created to help them identify unknown samples of Shamoon. The similar mindset and programming styles of the two malwares indicated in their underlying code suggested to the researchers that they both originated from the same set of coders.

Shamoon rose to infamy back in 2012, when it infected 35000 computers in an oil and gas company in the Middle East in an attack that Kaspersky says put 10% of the world’s oil supply “potentially at risk”. Shamoon earned itself a 2.0 suffix when it made a re-appearance in 2016 with a significant upgrade to the original 2012 code.

“We were very intrigued by the similarities and comparisons between these three malicious operations. Was StoneDrill another wiper deployed by the Shamoon actor? Or are StoneDrill and Shamoon two different and unconnected groups that just happened to target Saudi organisations at the same time? Or, two groups which are separate but aligned in their objectives? The latter theory is the most likely one: when it comes to artifacts we can say that while Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Geopolitical analysts would probably be quick to point out that both Iran and Yemen are players in the Iran-Saudi Arabia proxy conflict, and Saudi Arabia is the country where most victims of these operations were found. But of course, we do not exclude the possibility of these artifacts being false flags,” says Mohamad Amin Hasbini, senior security researcher, Global Research and Analysis Team, Kaspersky Lab.

Kaspersky ended off the announcement with the proclamation that its security suites have been updated, and can now detect and block all Shamoon- and StoneDrill-related malwares.

Leave a Reply