StoneDrill
StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association withAPT33.[1][2]
Associated Software Descriptions
| Name | Description |
|---|---|
| DROPSHOT |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .005 | Command and Scripting Interpreter:Visual Basic | StoneDrill has several VBS scripts used throughout the malware's lifecycle.[2] |
| Enterprise | T1485 | Data Destruction | StoneDrill has a disk wiper module that targets files other than those in the Windows directory.[2] | |
| Enterprise | T1561 | .001 | Disk Wipe:Disk Content Wipe | StoneDrill can wipe the accessible physical or logical drives of the infected machine.[3] |
| .002 | Disk Wipe:Disk Structure Wipe | StoneDrill can wipe the master boot record of an infected computer.[3] | ||
| Enterprise | T1070 | .004 | Indicator Removal:File Deletion | StoneDrill has been observed deleting the temporary files once they fulfill their task.[2] |
| Enterprise | T1105 | Ingress Tool Transfer | StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.[2] | |
| Enterprise | T1027 | .013 | Obfuscated Files or Information:Encrypted/Encoded File | StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.[2] |
| Enterprise | T1055 | Process Injection | StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser.[2] | |
| Enterprise | T1012 | Query Registry | StoneDrill has looked in the registry to find the default browser path.[2] | |
| Enterprise | T1113 | Screen Capture | StoneDrill can take screenshots.[2] | |
| Enterprise | T1518 | .001 | Software Discovery:Security Software Discovery | StoneDrill can check for antivirus and antimalware programs.[2] |
| Enterprise | T1082 | System Information Discovery | StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.[2] | |
| Enterprise | T1124 | System Time Discovery | StoneDrill can obtain the current date and time of the victim machine.[2] | |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes.[2] | |
| Enterprise | T1047 | Windows Management Instrumentation | StoneDrill has used the WMI command-line (WMIC) utility to run tasks.[2] | |
Groups That Use This Software
References
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.