nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Shamoon malware spawns even nastier 'StoneDrill'

Data-destroying code moves on from Middle East, now rampaging through Europe

By Richard Chirgwin, 7 Mar 2017

Researchers following up on last November's re-emergent Shamoon malware attacks have found something even nastier.

A quartet of Kaspersky researchers say the “StoneDrill” malware sits in a victim's browser, and wipes any physical or logical path accessible with the target user's privileges.

Although StoneDrill mostly seeks Saudi Arabian targets (and has Persian language resources in the code), Kaspersky's authors Costin Raiu, Mohamad Amin Hasbini, Sergey Belov, and Sergey Mineev discovered it in Europe, and take this as a hint that the attackers might be widening their campaign.

There's also a backdoor module that has a choice of four command and control servers. The commands the researchers found in the malware suggest an espionage operation, with screenshot and upload capabilities, and to help evade detection, it functions at the file level and doesn't need to use disk drivers during installation.

StoneDrill also has better anti-emulation techniques, compared to Shamoon 2.0, they write.

Like Shamoon 2.0, StoneDrill was apparently compiled in October and November 2016 (going by timestamps the authors left in the debug directory).

The full report, here, identifies what Kaspersky looks for in Shamoon 2.0 and StoneDrill: Trojan.Win32.EraseMBR.a, Trojan.Win32.Shamoon.a, Trojan.Win64.Shamoon.a, Trojan.Win64.Shamoon.b, Backdoor.Win32.RemoteConnection.d, Trojan.Win32.Inject.wmyv, Trojan.Win32.Inject.wmyt and HEUR:Trojan.Win32.Generic. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing