StoneDrill – Shamoon & Shamoon 2.0 Variant

StoneDrill – Shamoon & Shamoon 2.0 Variant

March 13, 2017 | Adeline Zhang

Author: Cody Mercer – Senior Threat Intelligence Researcher

Executive Summary

It would appear that a new variant titled ‘StoneDrill‘ has now hit the wild and conducts operations very similar to that of Shamoon 2.0 and Shamoon malware. Moreover, Kaspersky Labs has evaluated the source code and it appears to contain various source code line items and coding structure very similar to Shammon 2.0 with the primary difference being the language in which the code was written in. StoneDrill has been confirmed to perform various destructive habits like wiping a user’s computer memory and/or encrypting ones hard-drive space for a ransomware like attack functions.

Additionally, the source code occupies an anti-sandbox function that supports anti-evading techniques preventing standard sandbox software and other reverse engineering tools from recognizing the variant as a malicious software. Seemingly, Kaspersky Lab’s was able to conclude that once the virus has successfully injected itself into the computers file and directory system a backdoor can be created. The primary purpose behind the backdoor property is for exfiltration operations and espionage tactics to feed into one of the four command and control panels identified in the reverse engineering analysis of the StoneDrill code.

Shamoon 2.0 Recap

Several weeks ago I wrote a blog on Shamoon 2.0 that may be read here. To briefly recap, Shamoon 2.0 is a form of malware that supports the ability to delete an entire hard-drive or the memory space of a computer or asset. Additionally, the specific payload residing in the Shamoon 2.0 exploit is known as ‘Disttrack’.

The Disttrack payload is designed to spread its nefarious actions to other computers on the same subnet/network by logging in using previously stolen, but legitimate domain account credentials and then permitting for itself to copy to the local system for continued exploitation purposes. Once this is achieved, the malware schedules a task, or logic-bomb, to execute the payload at a pre-planned time that prevents the computer from booting up properly and ultimately being unusable.

 StoneDrill Origin & Attribution

Researches at Kaspersky Lab wrote several YARA rules that triggered the alerts and IOC’s (Indicators of Compromise) which led the researches to believe that StoneDrill supports source code attributes that are similar to that of Shamoon and Shamoon 2.0 features. The actual language of StoneDrill source code itself is written in Persian and Shamoon is written in Arabic-Yemen. Hence, not only are the attack attributes of the various malware forms very similar in comparison, but the languages used to write the code are closely related geographically. Moreover, the style of coding and structuring of the code itself shows similarities to that of the Shamoon era.

Illustration Courtesy of Kaspersky Labs

Even though the languages of the source codes vary they still resemble languages common to geographical areas of the Middle East, specifically Iran and Yemen. This notion connects known threat actors and their campaign attribution to that specific region geographically and share a common theme for correlation purposes. Interestingly, even though the majority of the victims of StoneDrill have occurred predominately in the Middle Eastern region, there have been recent reports that this exploit has been active in various countries throughout Europe.

NSFOCUS’s Recommended Solutions & Best Practices

  1. If a discovered threat exploits one or more network services immediately disable and block access to those services until a patch has been applied.
  2. Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  3. Firewall use should be heavily applied to block all incoming connections from external sources to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want publicly accessible.
  4. Enforce a strict password policy. Complex passwords make it difficult to crack password files on compromised computers.
  5. Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  6. Configure your email server to block or remove emails that contain file attachments which are commonly used to deploy malware. Such attachment types may include but not limited to: .vbs, .bat, .exe, .pif and .scr files.
  7. Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  8. Train employees not to open email attachments unless the attachments are expected from an outside source. Moreover, do not execute software that is downloaded from the Internet unless it has been scanned for viruses.

About NSFOCUS

NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

http://www.nsfocusglobal.com.