Kaspersky Lab discovered a new version of Shamoon and stumbles during the investigation, in a new malware that deletes data on disk and overwrites the master boot record.
It was August of 2012 when the Arab oil company Saudi Aramco has views knock out about 35 thousand workstations due to a cyber attack conducted with the Shamoon virus. It has been a particularly serious attack that has requested weeks before Saudi Aramco could return to normal operation: the key feature of Shamoon is the elimination of present data on the hard disk of the target system and the overwriting of the master boot records, making the system unusable. Appeared out of nowhere, Shamoon is quickly returned into oblivion after having completed its destructive mission.
Until now: since last November researchers Kaspersy Lab have found three attacks made with a new Shamoon variant, which adds new tools and techniques than its predecessor such as less reliance on command-and-control external server, ransomware fully operational and new components to 32-bit and 64-bit. The principle of operation is roughly the same as the 2012 version: Shamoon 2.0 nestles quietly in a target network, so as to allow attackers to obtain administrator accesses.
At this point Shamoon builds its ” wiper ” (literally the wiper: allegorically makes very good idea of the action Shamoon storage unit) that uses credentials gathered in the previous stage to spread widely within the network the victim. At a date set the wiper is activated and quickly knocks out the machines it has infected. The final phase of the attack is automated. The feature eliminates the need to establish communications with a command-and-control server.
During its investigation of Shamoon researchers, they have stumbled upon another threat, which behaves the same way, or delete data on the hard disk of the target. The new threat shows some similarities with code Shamoon, but the researchers concluded, after further analysis, it is a distinct and unusual malware that have given the name of ” StoneDrill “.
In addition to the similarities with Shamoon, StoneDrill reuse of code elements used in a spying campaign called ” NewsBeef ” that has targeted various areas around the world. Stone Drill contains in its interior functions of backdoor specially used for espionage purposes. The Kaspersky researchers have identified four command-and-control panels used by attackers to steal information from an unknown number of targets using StoneDrill.
Among other sinister capacities of this malware there is also that of being able to evade detection measures thanks to the possibility of avoiding the use of the disk driver during installation. In order to achieve this injects a wiping form in the memory of the system associated with the user’s favorite browser. StoneDrill was discovered to target an oil company in Europe, where the wipers used in the Middle East have never been previously encountered.
” The discovery of StoneDrill in Europe is an important sign that the group is expanding its devastating attacks outside the Middle East. The target of the attack seems to be a large company with extensive activities in the petrochemical industry, with no apparent connection or interest in Saudi Arabia, ” wrote Kaspersky Lab researchers in a report of 35 pages published in the course of the day.
The researchers are not yet able to reconstruct the spread of StoneDrill strategy. It is possible that it is a tool used, for more targeted purposes, by the same group that uses Shamoon, as well as it is possible that StoneDrill and Shamoon is used by two different groups that have no connection between them and only coincidentally have targeted the same reality at the same time.