Back in 2012, we published an analysis of Shamoon wiper malware, which was presumably connected to an attack on Saudi Aramco, а Saudi Arabian national petroleum and natural gas company. That attack affected almost 30,000 workstations, and company spent a week trying to relaunch its IT systems. Well, it seems that Shamoon is back with a new version, and this time it is accompanied by another piece of malware with similar capabilities but far more advanced evasive technologies. We call it StoneDrill.
Shamoon 2.0 shares many similarities with its predecessor. It appears that malefactors carefully prepare an attack on every single target. They obtain administrator credentials and build a custom wiper that leverages these credentials to spread widely inside the organization. The malware activates on a predefined date, rendering victims’ computers completely inoperable. Among the targets of Shamoon 2.0 are organizations in various critical and economic sectors in Saudi Arabia.
However, in the course of investigating this new malware, we found more: a previously unknown sample we dubbed StoneDrill. In some aspects it is similar to Shamoon (again, it is a wiper), but it has a couple of differences. First of all, its targets are not restricted to Saudi companies — we found at least one victim in Europe. And another peculiarity: It employs several techniques that help malware evade detection. Most of those methods are aimed against emulation technology. For example, it makes numerous WinAPI calls with invalid parameters. It also does not use drivers during deployment but relies on memory injection of the wiping module into the victim’s preferred browser.
The most dangerous thing about StoneDrill is that it was detected only because we were hunting for another piece of malware. Its evasiveness again demonstrates that to fight modern threats, cybersecurity personnel must be experts in malware analysis. So, once again, we would like to invite you to our training on reverse engineering that will take place before the Security Analyst Summit. The 50% discount on SAS is still active for all who sign up for this training.
For full technical details, including indicators of compromise and the Yara rules that our experts used to catch this malware, see this Securelist blogpost.