Shamoon malware spawns even nastier 'StoneDrill'

Data-destroying code moves on from Middle East, now rampaging through Europe

Researchers following up on last November's re-emergent Shamoon malware attacks have found something even nastier.

A quartet of Kaspersky researchers say the “StoneDrill” malware sits in a victim's browser, and wipes any physical or logical path accessible with the target user's privileges.

Although StoneDrill mostly seeks Saudi Arabian targets (and has Persian language resources in the code), Kaspersky's authors Costin Raiu, Mohamad Amin Hasbini, Sergey Belov, and Sergey Mineev discovered it in Europe, and take this as a hint that the attackers might be widening their campaign.

There's also a backdoor module that has a choice of four command and control servers. The commands the researchers found in the malware suggest an espionage operation, with screenshot and upload capabilities, and to help evade detection, it functions at the file level and doesn't need to use disk drivers during installation.

StoneDrill also has better anti-emulation techniques, compared to Shamoon 2.0, they write.

Like Shamoon 2.0, StoneDrill was apparently compiled in October and November 2016 (going by timestamps the authors left in the debug directory).

The full report, here, identifies what Kaspersky looks for in Shamoon 2.0 and StoneDrill: Trojan.Win32.EraseMBR.a, Trojan.Win32.Shamoon.a, Trojan.Win64.Shamoon.a, Trojan.Win64.Shamoon.b, Backdoor.Win32.RemoteConnection.d, Trojan.Win32.Inject.wmyv, Trojan.Win32.Inject.wmyt and HEUR:Trojan.Win32.Generic. ®


Biting the hand that feeds IT © 1998–2017