Shamoon 2.0 to StoneDrill: New disk wiping malware targeting Europe and Saudi Arabia

The dangerous disk wiping malware Shamoon, which was responsible for destroying nearly 35,000 computers at the Saudi Aramco in 2012 and other high-profile attacks across the Middle East after that, has a successor. A new wiper malware, dubbed StoneDrill, has been uncovered by security researchers, believed to be targeting more organisations across Saudi Arabia and Europe.

Researchers also uncovered that Shamoon 2.0's latest variant now also comes with fully functional ransomware capabilities and new 32-bit and 64-bit components. Researchers found that StoneDrill, in addition to targeting organisations in Saudi Arabia, also targeted the Kaspersky Security Network (KSN) in Europe, indicating that the cybercriminals behind the malware may be expanding their operations.

According to Kaspersky Lab researchers, StoneDrill comes with impressive detection evading features, by not using disk drivers, instead relying on "memory injection of the wiping module into the victim's preferred browser". The newly discovered malware also comes with a backdoor that can boost cyberespionage activities. Researchers uncovered four different command and control (C&C) panels used by the hackers to steal data from an unspecified number of targets.

Kaspersky Lab researchers said, "Our discovery of StoneDrill gives another dimension to the existing wave of wiper attacks against Saudi organizations that started with Shamoon 2.0 in November 2016." Researchers noted that both malware strains were compiled around the same time, between October to November 2016 and "appear to be targeting Saudi organizations".

Researchers said, "The discovery of the StoneDrill wiper in Europe is a significant sign that the group is expanding its destructive attacks outside the Middle East. The target for the attack appears to be a large corporation with a wide area of activity in the petro-chemical sector, with no apparent connection or interest in Saudi Arabia."

Notably, StoneDrill also makes use of codes used in a cyberespionage campaign called "NewsBeef", which targeted multiple organisations across the globe.

Researchers added, "StoneDrill appears to be connected with previously reported NewsBeef activity, which continues to target Saudi organizations. From this point of view, NewsBeef and StoneDrill appear to be continuously focused on targeting Saudi interests, while Shamoon is a flashy, come-and-go high impact tool."

They suspect that "StoneDrill and Shamoon are used by different groups which are aligned in their interests". Researchers also indicated that in terms of attribution, Iran and Yemen could be considered as possible suspects.

The new activities surrounding Shamoon and the newly discovered StoneDrill indicate that the malware's four-year hiatus did not lead to it expectedly, slowly fading into the dark. Instead, Shamoon and similar variants appear to be back with a vengeance and will likely go after additional targets in the near future.