Shamoon—the mysterious disk wiper that popped up out nowhere in 2012 and took out more than 35,000 computers in a Saudi Arabian-owned gas company before disappearing—is back. Its new, meaner design has been unleashed three time since November. What’s more, a new wiper developed in the same style as Shamoon has been discovered targeting a petroleum company in Europe, where wipers used in the Middle East have not previously been seen.
Researchers from Moscow-based antivirus provider Kaspersky Lab have dubbed the new wiper “StoneDrill.” They found it while they were researching the trio of Shamoon attacks, which occurred on two dates in November and one date in late January. The refurbished Shamoon 2.0 added new tools and techniques, including less reliance on outside command-and-control servers, a fully functional ransomware module, and new 32-bit and 64-bit components.
StoneDrill, meanwhile, features an impressive ability to evade detection by, among other things, forgoing the use of disk drivers during installation. To accomplish this, it injects a wiping module into the computer memory associated with the user’s preferred browser. StoneDrill also includes backdoor functions that are used for espionage purposes. Kaspersky researchers found four command-and-control panels that the attackers used to steal data from an unknown number of targets. Besides sharing code similarities with Shamoon, StoneDrill also reuses code used in an espionage campaign dubbed “NewsBeef,” which targeted organizations around the world.