Wiper malware is rare – just a handful of occurrences have been documented. However, in the latest appearance of Shamoon, a new ransomware component was uncovered in addition to the disk wiping capability. Because you can’t have too much of a bad thing it would seem. The ransomware component hasn’t been deployed but is ready for use. The Shamoon 2.0 dropper is a worm that infects computers in Windows domains, leveraging hardcoded previously stolen usernames and passwords. Kaspersky has released a full report on it.
Kaspersky has now identified another wiper malware in the wild. Dubbed “StoneDrill”, it has targeted organizations in Saudi Arabia, but it also went after a petrochemical organization in Europe. At this stage, it seems StoneDrill is similar to the APT group NewsBeef or Charming Kitten, who was linked to the latest Shamoon endeavours. Kaspersky notes “Particularly interesting is the heavy use of anti-emulation techniques in the malware, which prevents the automated analysis by emulators or sandboxes.” far more so than Shamoon. It also uses VBS scripts to run self-delete scripts but Shamoon did not rely on any external scripts. Also, the disk wiper module in StoneDrill does not get written to disk like Shamoon does. Instead, it is injected directly into the user’s browser process memory, no drivers required.