Saudi Arabia is being attacked by the new StoneDrill malware

Today, Kaspersky Lab experts reported on the discovery of a new complex malware that destroys all data on the victim's computer. Malicious software was named StoneDrill, and it not only removes information from hard drives, but also spies on victims. Also, this program can hide from the detection tools that anti-virus products are equipped with.

According to Kaspersky Lab experts, StoneDrill is very similar to another virus that caused a lot of damage to user and corporate computers in 2012. This is the Shamoon program (also known as Disttrack). This virus managed to disrupt the work of about 35 thousand computers only in the oil and gas company Saudi Aramco, operating in the Middle East. It was possible to restore the normal work of this organization only 10 days after infection. How many computers have hit the malware in other companies and regions is not known for sure.

Because of such a massive blow, the company suffered significant damage, which affected the entire oil and gas industry, not only Saudi Arabia, but also the world. Almost immediately after this incident, the Shamoon developers stopped their activities, the spread of the virus also disappeared. Now, according to experts from Kaspersky Lab, a similar virus has appeared that is equipped with a number of additional modules that extend the functionality of the software.
')
True, Shamoon and StoneDrill should not be considered different versions of the same virus. The fact is that the principle of their work is still different. A common feature of this software is the ability to hide from antiviruses. Kaspersky Lab itself managed to detect the virus through the use of several rules for detecting targeted attacks, which were created to detect Shamoon, and this is already the second version. The fact is that Shamoon returned last year, and again began to attack the computers of companies in Saudi Arabia. To detect Shamoon 2.0, specific detection tools were developed, with the help of which information security experts found another malicious program, hitherto unknown. This is StoneDrill.

The virus itself has been identified, but many details of its work are still unknown. This is, for example, a method of spreading malware. However, experts were able to find out how StoneDrill goes unnoticed by antivirus software. For this purpose, two anti-emulation technologies are used, which allow the virus to avoid detection by behavior. When hit on the victim's PC, StoneDrill is immediately embedded into the memory process of the main browser for this particular computer. After that, the virus begins to destroy files on the hard disk and spy on the victims. Kaspersky Lab employees managed to find four servers with which the attackers monitor.


A small portion of the malware code in the file being analyzed

As for the similarities between Shamoon and StoneDrill, the malware has quite a lot of similarities, although they were made, as far as can be judged, by different teams. The difference is that in the Shamoon code there is a Yemeni version of the Arabic language, and in StoneDrill the Persian language was revealed. From this cybersecurity experts suggest that the development of malware are Iranian and Yemeni developers who may be interested in causing maximum damage to companies from Saudi Arabia. The fact is that in this region there is the maximum number of victims of the attacks of Stone Drill and Shamoon. But this is only an assumption that may not have any real grounds. At the same time, the Saudi authorities accuse Iran of carrying out the attack.

After a detailed analysis, Kaspersky Lab employees were able to find out some important details of the attacks using Shamoon and StoneDrill:

• The module of the ransomware program has been added to Shamoon 2.0. The module is currently inactive, but attackers are able to activate it at any time;
• Shamoon, its new version, does not have a communication module with the command server, while previous versions of the malware included this module;
• StoneDrill uses browser memory to access the victim's computer, as discussed above. But Shamoon works with drivers.

StoneDrill’s significant difference is that this virus was noticed during an attack on computer networks of an unnamed European organization. Thus, this malware can be developed by a team whose areas of interest are not only Saudi Arabia, but also Europe.

Kaspersky Lab notes the similarity of StoneDrill's activity with the work of another malware , NewsBeef . This virus has long been attacking computers and computer networks of organizations in Saudi Arabia. The company's experts believe that Shamoon can be an effective tool for short-term use, while NewsBeef and StoneDrill are tools for long-term exposure.

Kaspersky Lab plans to talk more about the new threat at the Kaspersky Security Analyst Summit conference on April 2-6, 2017.