StoneDrill
StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[1][2]
Associated Software Descriptions
| Name | Description |
|---|---|
| DROPSHOT |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
StoneDrill has used the WMI command-line (WMIC) utility to run tasks.[2] |
|
| Enterprise | T1059 | .005 | 命令与脚本解释器: Visual Basic |
StoneDrill has several VBS scripts used throughout the malware's lifecycle.[2] |
| Enterprise | T1113 | 屏幕捕获 |
StoneDrill can take screenshots.[2] |
|
| Enterprise | T1485 | 数据销毁 |
StoneDrill has a disk wiper module that targets files other than those in the Windows directory.[2] |
|
| Enterprise | T1012 | 查询注册表 |
StoneDrill has looked in the registry to find the default browser path.[2] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.[2] |
| Enterprise | T1561 | .001 | 磁盘擦除: Disk Content Wipe |
StoneDrill can wipe the accessible physical or logical drives of the infected machine.[3] |
| .002 | 磁盘擦除: Disk Structure Wipe |
StoneDrill can wipe the master boot record of an infected computer.[3] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
StoneDrill has been observed deleting the temporary files once they fulfill their task.[2] |
| Enterprise | T1082 | 系统信息发现 |
StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.[2] |
|
| Enterprise | T1124 | 系统时间发现 |
StoneDrill can obtain the current date and time of the victim machine.[2] |
|
| Enterprise | T1497 | 虚拟化/沙盒规避 |
StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes.[2] |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
StoneDrill can check for antivirus and antimalware programs.[2] |
| Enterprise | T1105 | 输入工具传输 |
StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.[2] |
|
| Enterprise | T1055 | 进程注入 |
StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser.[2] |
|
Groups That Use This Software
References
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.