Kaspersky Lab's researchers have discovered new malware that has set its crosshairs on Europe.
In a newly-published research paper, Kaspersky Lab reports a new strain of malware that has entered Europe. The new data-wiping malware “StoneDrill” is not your average run-of-the-mill virus. It is difficult to detect and does not need to use disk drivers for installation. Instead, StoneDrill takes advantage of the user's preferred browser to wipe the computer's memory.
More worrying still is StoneDrill's backdoor functions. The malware does not only wipe data. Researchers have found that StoneDrill has already managed to steal data from an unknown number of computers. It is also unclear what the data theft is for, but any data theft is almost always malicious.
However, the malware does not seem to be targeting individual users. Researchers claim that StoneDrill seems to prefer large organizations, particularly one with petrochemical interests.
This was not the first time that disk-wiping malware popped up to cause a large-scale disturbance. In 2012, a mysterious form of malware suddenly appeared and crippled 35,000 computers in a Saudi Arabian company. This malware was dubbed Shamoon, and it disappeared just as mysteriously as it showed up. In November of last year, however, it came back with a vengeance, meaner and worse than before.
The researchers discovered StoneDrill while they were investigating Shamoon's newest attacks. They used a tool called YARA to find malware, and StoneDrill was caught in the net, so to speak. At first, the researchers thought that StoneDrill is another version of Shamoon. Upon closer investigation, however, they discovered that StoneDrill is in fact newer and distinct from Shamoon.
Both Shamoon and StoneDrill have similar code. However, the connection between the two malware is still unclear. It doesn't seem like the same group created both, though it's definitely a possibility. Researchers postulate that the creators of the two malware may be two distinct groups with similar interests and agenda.
The groups that created Shamoon and StoneDrill are probably based in the Middle East. Researchers found that Shamoon has Persian language support, while StoneDrill has Arabic-Yemen language support. This discovery may provide a clue as to why the two malware are targeting organizations with interest in petrol. Iran and Yemen “are both players in the Iran-Saudi Arabia proxy conflict," the researchers report.
The researchers admit, however, that this may be a ruse or a misdirection. It's entirely possible that the creators are not in fact from the Middle East. The language support packs may be false flags that aim to mislead investigators from finding the true origins of the malware.
Though the researchers have discovered how Shamoon and Shamoon 2.0 enter and spread throughout computer networks, StoneDrill remains a mystery. Both Shamoons steal administrator credentials that allow them spread to all computers in an organization. Kaspersky Lab has yet to find out how StoneDrill proliferates throughout a network.
Researchers are still trying to understand how StoneDrill works. In the meantime, however, there's a big chance that both Shamoon and the new malware StoneDrill will attack again.
Get weekly science updates in your inbox!