StoneDrill
StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[1][2]
Associated Software Descriptions
| Name | Description |
|---|---|
| DROPSHOT |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
StoneDrill has several VBS scripts used throughout the malware's lifecycle.[2] |
| Enterprise | T1485 | Data Destruction |
StoneDrill has a disk wiper module that targets files other than those in the Windows directory.[2] |
|
| Enterprise | T1561 | .001 | Disk Wipe: Disk Content Wipe |
StoneDrill can wipe the accessible physical or logical drives of the infected machine.[3] |
| .002 | Disk Wipe: Disk Structure Wipe |
StoneDrill can wipe the master boot record of an infected computer.[3] |
||
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
StoneDrill has been observed deleting the temporary files once they fulfill their task.[2] |
| Enterprise | T1105 | Ingress Tool Transfer |
StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.[2] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.[2] |
|
| Enterprise | T1055 | Process Injection |
StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser.[2] |
|
| Enterprise | T1012 | Query Registry |
StoneDrill has looked in the registry to find the default browser path.[2] |
|
| Enterprise | T1113 | Screen Capture |
StoneDrill can take screenshots.[2] |
|
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
StoneDrill can check for antivirus and antimalware programs.[2] |
| Enterprise | T1082 | System Information Discovery |
StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.[2] |
|
| Enterprise | T1124 | System Time Discovery |
StoneDrill can obtain the current date and time of the victim machine.[2] |
|
| Enterprise | T1497 | Virtualization/Sandbox Evasion |
StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes.[2] |
|
| Enterprise | T1047 | Windows Management Instrumentation |
StoneDrill has used the WMI command-line (WMIC) utility to run tasks.[2] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0064 | APT33 |
References
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.