StoneDrill Malware Supersedes Shamoon, Has Both Data Wiping And Spying Features

There have been a handful of wiper malware attacks in the wild in the last decade with Shamoon’s destruction of more than 35,000 workstations at Saudi Aramco in 2012 and the Dark Seoul attacks on Sony Pictures Entertainment the most high profile. Chris Doman, Security Researcher at AlienVault commented below.

Chris Doman, Security Researcher at AlienVault:

“Kaspersky suggest in their report that the Stonedrill attackers may be linked to a group known as Newscaster – previously seen targeting the US military. There have been reports they are located within Iran, as are the Shamoon attackers. Whilst Shamoon and Stonedrill may share common targets and even resources, this is part of a wider proliferation of ideas.

Back in 2012 the Iranian Oil Ministry was attacked in one of the first destructive attacks. It wasn’t long after that similar attacks were being executed by Shamoon in the other direction. Perhaps they were shown the benefit of this style of destructive attack. These in turn were followed by another group of attackers targeting Sony and South Korean banks in destructive attacks. And now we have Stonedrill to watch out for too.

It’s novel that the new Shamoon attacks include a ransomware component. If you’re going to target an enemy – why not drain their resources and make some funds for yourself whilst you do it?

US-CERT provide good advice in mitigating these kinds of attacks. A solid detection and back-up strategy is key. Many of these attacks involve a worm component that look for weak passwords on a network, and can be identified using centralised reporting of failed logins.”