New variant of malware from 2012 erases hard drives via memory injection

Spread the love

Researchers from security firm Kaspersky have discovered a new variant of the Shamoon malware, which was actively used on targets in Saudi Arabia in 2012. The discovered version is named StoneDrill and has several new features.

Kasperksy has devoted a blog post to the new variant and has included further information in a report. It discusses the differences between the Shamoon and StoneDrill versions. The Shamoon malware, also known as Disttrack and which hit a Saudi Arabian energy company in 2012, among others, was used in November and January to carry out new attacks in the same region. This malware has been given the name Shamoon 2.0. While investigating this variant, Kaspersky came across the StoneDrill malware, which has also been detected on a target in Europe.

The two new variants have some similar properties. In both cases, it is about encrypted malware that infects a system and looks for administrator rights on the network in order to spread further. After that, the malicious software activates a wiper, which makes infected systems completely unusable. In addition, the malware samples were compiled around the same period in 2016.

Differences are that Shamoon 2.0 includes a ransomware module, which is not currently working, but may be in the future. StoneDrill in turn uses advanced techniques to avoid detection and does not use a driver to wipe systems. Instead, the wiper is injected directly into the target’s default browser memory. As a result, this version is not capable of raw disk wiping, but is limited to files that are accessible to the user. StoneDrill connects to c2 servers, while the latest version of Shamoon 2.0 does not communicate with the attackers. In addition, the language used in the malware components differs.

These similarities and differences lead Kaspersky to conclude that the malware comes from different groups that have similar objectives, although other scenarios are possible. The organization describes Shamoon as a flashy tool, used in isolated incidents, while StoneDrill along with the NewsBeef attacks demonstrate a continued focus on targets in Saudi Arabia. The discovery of StoneDrill at a petrochemical company in Europe with no connection to the region may indicate that the individuals behind it are targeting new targets.

You might also like
Exit mobile version