Perhaps you remember Shamoon, a mysterious threat able to wipe the entire hard disk of the affected computer. This malware dates back to 2012 and has infected more than 35,000 computers in Saudi Arabia, targeting a gas company.
Shamoon caused panic for a while, then disappeared into thin air. Unexpectedly, it came back. There are two threats: Shamoon 2.0 (an update to the 2012 version), and StoneDrill.
StoneDrill aims a European oil company, while Shamoon focuses on the Middle East. Kaspersky Lab researchers – discoverers of the new attacks, occurred between November and January – found that Shamoon 2.0 comes with new features making it more effective: reduced use of the C&C servers, a fully functional ransomware module and new 32-bit and 64-bit components.
Like his predecessor, the latest version of Shamoon infiltrates a network and obtains administrator credentials. It spreads targeting all the organization/company computers and waits for the activation. Then the hackers activate the wiper, leaving the infected PCs completely inoperable.
StoneDrill is instead able to circumvent any security control by giving up the use of disk drivers during the malware installation. To succeed, it injects a wiping module into the computer memory associated with the user’s preferred browser. The malware includes a backdoor able to steal data from PCs before making them unusable.
The Kaspersky researchers came across four C&C panels used by hackers to take data from a still unknown number of victims.
StoneDrill and Shamoon 2.0 share some same parts of code, but it is still unclear whether the hackers responsible pursue a joint project. StoneDrill is involved in an espionage campaign called “NewsBeef” which has already targetted several international organizations. According to Kaspersky researchers:
The discovery of the StoneDrill wiper in Europe is a significant sign that the group is expanding its destructive attacks outside the Middle East. The target for the attack appears to be a large corporation with a wide area of activity in the petrochemical sector, with no apparent connection or interest in Saudi Arabia.