A few months ago we talked about the safe erasure of hard drives right here. For those who do not know what it is, roughly can be defined as passing a layer of zeros on the surface of the disk after formatting to prevent data recovery, leaving it completely empty.
Something similar is what makes a new malware known as StoneDrill, according to published in Ars Technica. Until now viruses of this type had only been seen in the Middle East, but an infection with this threat has been detected by Kaspersky’s investors in a European oil company, where they had never arrived before.
The malware sneaks into the target network and steals the administrator’s credentials. From there, the attackers can create a specific wiper or “eraser” that, when they have achieved their purpose, erases the disk completely by adding a layer of zeros, making data recovery impossible. In the process, they leave the infected computer unusable. What they have not yet discovered is how this threat spreads.
Apparently, StoneDrill is a derivative of another similar malware known as Shamoon, which in 2012 targeted a Saudi natural gas company in which it would leave 35,000 computers completely empty. After that, this cyber threat disappeared in the dark and was never heard from again.
At least, until recently. The last November Shamoon reappeared with two new attacks. In the analysis that the researchers carried out of the tool new techniques and tools were found, among which was a fully functional ransomware module and a new set of functions for 32 and 64 bit systems.
StoneDrill as a spin-off of Shamoon
Apparently and according to the medium, StoneDrill has the same characteristics as this Shamoon reinterpreted, and to them we must add the ability to avoid detection by renouncing the use of disk drivers. To achieve this, it injects a secure erasure module into the system in the part of the memory that is associated with the user’s browser.
To make matters worse, the malware also incorporates espionage functions through backdoors. Among them, Kaspersky researchers found four command-and-control panels to steal data from an unknown number of targets. All this comes, apparently, from reused code from other malware used in a worldwide campaign known as NewsBeef.
From all this it follows that it also has features of NewsBeef such as obtaining the browser’s fingerprint, the ability to collect sites visited and installed extensions and, in addition, modules for social engineering with victims. We remind that with this practice it is intended that victims give sensitive information to the attacker in a voluntary manner.
For now, apart from the reused code, researchers do not know what relationship Shamoon and StoneDrill have. The most plausible according to the medium is that they are two groups of different hackers, who have allied because they share “similar interests”.
