Go Back   RGN - Raiders Global News > RGN Member Lounge > Science, Tech & Computer News

Science, Tech & Computer News Discussions about the News, Hardware and Software

Reply
 
Thread Tools Display Modes

Data-Wiping Malware Targets Europe
  #1  
Old 03-07-2017, 08:02 AM
RFMariano's Avatar
RFMariano RFMariano is online now
Site Owner - Administrator
 
Join Date: Aug 2006
Location: Florida, USA
Age: 75
Posts: 19,623
Rep Power: 247
RFMariano is a splendid one to beholdRFMariano is a splendid one to beholdRFMariano is a splendid one to beholdRFMariano is a splendid one to beholdRFMariano is a splendid one to beholdRFMariano is a splendid one to behold
Default Data-Wiping Malware Targets Europe






This Hard Drive Will Self Destruct.
Data-Wiping Malware Targets Europe





William Warby

By Dan Goodin - 3/6/2017, 6:53 PM

Meaner strain of Shamoon makes comeback, joined by new, never-before disk wiper.

Shamoon—the mysterious disk wiper that popped up out nowhere in 2012 and took out more than 35,000 computers in a Saudi Arabian-owned gas company before disappearing—is back. Its new, meaner design has been unleashed three time since November. What's more, a new wiper developed in the same style as Shamoon has been discovered targeting a petroleum company in Europe, where wipers used in the Middle East have not previously been seen.

Further Reading
Mystery malware wreaks havoc on energy sector computers
Researchers from Moscow-based antivirus provider Kaspersky Lab have dubbed the new wiper "StoneDrill." They found it while they were researching the trio of Shamoon attacks, which occurred on two dates in November and one date in late January. The refurbished Shamoon 2.0 added new tools and techniques, including less reliance on outside command-and-control servers, a fully functional ransomware module, and new 32-bit and 64-bit components. StoneDrill, meanwhile, features an impressive ability to evade detection by, among other things, forgoing the use of disk drivers during installation. To accomplish this, it injects a wiping module into the computer memory associated with the user's preferred browser. StoneDrill also includes backdoor functions that are used for espionage purposes. Kaspersky researchers found four command-and-control panels that the attackers used to steal data from an unknown number of targets. Besides sharing code similarities with Shamoon, StoneDrill also reuses code used in an espionage campaign dubbed "NewsBeef," which targeted organizations around the world.


Kaspersky Lab

"The discovery of the StoneDrill wiper in Europe is a significant sign that the group is expanding its destructive attacks outside the Middle East," Kaspersky Lab researchers wrote in a 35-page report published Monday. "The target for the attack appears to be a large corporation with a wide area of activity in the petrochemical sector, with no apparent connection or interest in Saudi Arabia."

The researchers still don't know precisely what connection StoneDrill has with Shamoon. The most plausible relationship, they said, is that each belongs to two different hacking groups that are aligned in their interests. This theory is consistent with the discovery that StoneDrill contains support for Arabic-Yemen language while Shamoon contains mostly Persian language support. The Persian-speaking Iran and Yemen "are both players in the Iran-Saudi Arabia proxy conflict," researchers noted in Monday's report.

The researchers also noted the possibility that one or both of the embedded language sections are "false flags" intended to mislead investigators about the origins of the malware. Another possibility is that StoneDrill is a less-used wiper that's deployed in certain situations by the same group that uses Shamoon. It's also possible that StoneDrill and Shamoon are used by two different groups that have no connection to each other and just happened to target Saudi organizations at the same time.


An overview of the Shamoon and StoneDrill disk-wiping malware packages.
Kaspersky Lab

StoneDrill came to the attention of Kaspersky Labs as researchers were investigating the recent wave of Shamoon attacks. Part of their probe involved the use of a malware-hunting tool known as YARA. The researchers initially thought that a detection rule they wrote uncovered a new Shamoon variant. After deeper analysis, the researchers found that the malware was a distinct, never-before-seen wiper, which they dubbed StoneDrill.

Like the Shamoon strain from 2012, the newer version quietly burrows into a targeted network so that attackers can obtain administrator credentials. Shamoon 2.0 allows the attackers to build a custom wiper that uses the credentials to spread widely inside the organization. Then, on a set date, the wiper activates and quickly leaves the infected machines completely inoperable. The final stages of the attacks are automated, a feature that eliminates the need for communication with command-and-control servers. Kaspersky Lab researchers still don't know how StoneDrill spreads.

The newly refurbished Shamoon, its newly discovered companion StoneDrill, and the first known foray into Europe are all evidence that the Middle East-connected wiping campaign, despite its almost five-year hiatus, is anything but dead. Don't be surprised if it pops up again in the coming months or years.

SOURCE
__________________

Regards,

Reply With Quote
 
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 12:38 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Content Copyright © RGN - Raiders Global News