March 08, 2017
The Shamoon disk-wiping malware has received a major upgrade during the past few months, and now features a ransomware module, along with support for both 32-bit and 64-bit architectures, researchers from Kaspersky Lab revealed on Monday.
Shamoon, also known as Disttrack, first spotted in 2012, is one of today's most notorious malware families, even if one of the rarest.
The malware rose to infamy after a nation-state actor used it to erase data from over 35,000 computers belonging to Saudi oil provider Aramco in 2012.
Timeline of attacks with disk-wiping malware (via Kaspersky)
The malware was also used against other, smaller targets, but mostly remained silent until November 2016, when reports from Symantec and Palo Alto Networks revealed new attacks against a number of private companies in Saudi Arabia.
According to Kaspersky, the initial attacks continued through December, and then in January 2017.
New StoneDrill disk wiper discovered
After analyzing the malware used in the attacks, researchers say they not only discovered an overhauled version of Shamoon, which they now track as Shamoon 2.0, but also a new disk-wiping malware, closely related to Shamoon, which they named StoneDrill.
Based on an in-depth analysis of the two new malware strains, available in this 30-page report, StoneDrill is much more advanced than Shamoon 2.0, and has also been used against a company located in Europe, not just Saudi Arabian targets.
StoneDrill's most notable additions are the usage of advanced sandbox evasion techniques, the usage of external scripts for malicious actions, and the usage of a fileless infection method that injects the wiper component in the computer's memory, instead of using drivers, like the Shamoon family.
Similarities and differences between Shamoon and StoneDrill (via Kaspersky)
Shamoon 2.0 and StoneDrill similarities include some of the same pre-disk-wiping features, such as commands to dump and steal credentials from infected hosts, backdoor functionality for stealing data from victims, and some shared C&C server infrastructure.
Shamoon ransomware module used as flase flag
As for Shamoon itself, version 2.0 includes many new features, of which the ransomware module stands apart.
The common train of thought is that Shamoon operators will use the ransomware module as an alternative to wiping data from computers.
The reason Shamoon operators wiped data from infected hosts in the first place was to hide their tracks after they stole data from the victim's PC
Experts believe the Shamoon ransomware module will be used to fool victims to believe they suffered a mundane ransomware infection, restore files from backups, or wipe and reinstall computers without investigating the incident further.
Previous reports on Shamoon from companies such as Websense (now Forcepoint), Seculert, and Kaspersky, have alluded that an Iran-based group, possibly a state actor, might be behind the attacks.
Insight on Shamoon operations (via Kaspersky)