Researchers following up on last November’s re-emergent Shamoon malware attacks have found something even nastier. A new, more dangerous malware called StoneDrill has been detected by Kaspersky Labs as they were studying Shamoon malware that has hit the energy sector in the Middle East initially. It is a data destroying code that sits in a victim’s browser, and wipes any physical or logical path accessible with the target user’s privileges.
Mike Patterson, CEO of Plixer says, ?StoneDrill demonstrates the impressive strides these miscreants have made at evading the most current detection methods. IP and domain reputation services are not helpful because this new strain doesn?t reach out to C&C servers. This means old school infiltration tactics such as phishing attacks or planting USB sticks in the work place parking lot could be a good way to get into the building. The malware is tested by its developers to ensure that it can evade sandbox techniques used by firewalls and it uses encryption. Organizations wishing to detect this type of infection must install agents such as Yara and/or leverage network behavior analysis techniques to uncover odd traffic patterns that could expose the signs of a Yara infection.?
Although StoneDrill mostly seeks Saudi Arabian targets (and has Persian language resources in the code), Kaspersky’s authors Costin Raiu, Mohamad Amin Hasbini, Sergey Belov, and Sergey Mineev discovered it in Europe, and take this as a hint that the attackers might be widening their campaign.
There’s also a backdoor module that has a choice of four command and control servers. The commands the researchers found in the malware suggest an espionage operation, with screenshot and upload capabilities, and to help evade detection, it functions at the file level and doesn’t need to use disk drivers during installation.
StoneDrill also has better anti-emulation techniques, compared to Shamoon 2.0, they write.
Like Shamoon 2.0, StoneDrill was apparently compiled in October and November 2016 (going by timestamps the authors left in the debug directory).
The full report, here, identifies what Kaspersky looks for in Shamoon 2.0 and StoneDrill: Trojan.Win32.EraseMBR.a, Trojan.Win32.Shamoon.a, Trojan.Win64.Shamoon.a, Trojan.Win64.Shamoon.b, Backdoor.Win32.RemoteConnection.d, Trojan.Win32.Inject.wmyv, Trojan.Win32.Inject.wmyt and HEUR:Trojan.Win32.Generic.
Source: theregister.co.uk