StoneDrill: Shamoon Wiper Attacks Reloaded – Notes from the Underground

March 28, 2017  |  Danielle Russell

Nothing can tarnish a great film like a terrible sequel: The Matrix Reloaded, Independence Day II: Resurgence, The Lost World, Weekend at Bernie’s II (seriously, how long can you carry around a corpse in sunglasses?) Terrible sequels seem to surface mysteriously and unwantedly, rehashing the same old story with a slight variation on plot line and cast members.

One especially terrible sequel features a criminal hacker hell-bent on destruction of a petrochemical target using the same attack methods as the original–no, I’m not talking about Speed II: Cruise Control—but rather, the recent resurgence of Shamoon malware.

After four years of lurking in the shadows, a notorious disk-wiping malware known as Shamoon has resurfaced, with new variants targeting the Middle East and Europe. The new wiper attack variants are more sophisticated, dangerous, and one in particular, StoneDrill, is more elusive than ever.

What Is Disk Wiper Malware and Why Is It So Nefarious?

Disk wiper is a malware that’s been used in cyber espionage attacks, mainly against oil companies and governmental organizations in Saudi Arabia. Wiper malware is designed to first exfiltrate data and then to cover its tracks by wiping the data from the machine, either by deleting it or overwriting it with garbage data. Shamoon specifically deletes the master boot record (MBR) of a PC, making the machine unable to start. It’s cyber espionage with an aggressive nihilistic twist.

Shamoon works to gain administrative privileges within a network and then spreads throughout to infect as many machines as possible. That’s how Shamoon gained notoriety back in 2012. The Shamoon campaign destroyed 35,000 workstations at Saudi Arabia’s state-own oil company, Saudi Aramco. Then-U.S. Defense Secretary Leon Panetta described the attack as, “probably the most destructive attack the business sector [had] seen to date.”(1)

While the Shamoon campaign primarily targeted Saudi companies, a wave of similar-style wiper attacks soon followed, notably targeting major Asian financial institutions (DarkSeoul, 2013) and Sony Corp (Destover, 2014). Since then, however, Shamoon had all but disappeared.

Then, like a terrible sequel that no one wanted to see, Shamoon recently resurfaced in late 2016 in waves of targeted cyber espionage campaigns against private companies and governmental organizations in the Gulf Region and beyond.

StoneDrill and Shamoon 2.0, New Wiper Attacks Are on the Rise

A new variant of Shamoon, Shamoon 2.0, emerged in November 2016 and January 2017 in two separate attacks against multiple private companies and government and civic organizations in Saudi Arabia. The new variant has the same goal as the original – to steal sensitive data and then unleash a symphony of destruction on its victims’ networks. According to one Bloomberg news report regarding the November 2016 attack, “Thousands of computers were destroyed at the headquarters of Saudi’s General Authority of Civil Aviation, erasing critical data and bringing operations there to a halt for several days.”

IBM researchers traced the initial point of compromise for the Shamoon 2.0 attacks to phishing emails targeting HR employees with resume-like MS Word attachments loaded with malicious macros that launched PowerShell communication with a C2 server.(3)

While analyzing Shamoon 2.0, security researchers at Kaspersky Labs identified StoneDrill, a similar-style wiper attack.(2) While StoneDrill has similar attributes as Shamoon 2.0, it has different source code, is reportedly better at evading detection, and does not rely on communication with a C2 server. While StoneDrill targeted Saudi-based organizations, it was also found in an attack that had targeted a petrochemical company in Europe.(2)

It’s not entirely clear who’s behind the recent waves of StoneDrill and Shamoon 2.0 wiper attacks, although researchers speculate that state-sponsored Iranian or Yemeni attackers may be involved. We’ll likely be learning more about the latest wave of Shamoon-style attacks throughout 2017.

How Does AlienVault Help Defend Against Wiper Attacks like StoneDrill and Shamoon 2.0?

AlienVault Unified Security Management (USM) delivers essential security capabilities that organizations of all sizes need to detect, prioritize, and respond to the latest variants of wiper attacks like Shamoon 2.0 and StoneDrill.

The built-in network intrusion detection system (NIDS) in USM monitors your network for suspicious activity and notifies you when it detects activity related to the malware.

The AlienVault Labs Security Research team regularly updates the threat intelligence that drives threat detection in USM, keeping you up to date with new and evolving threats. The team performs extensive threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves to discover the latest threats, and how to detect and respond to them.

The team recently updated the USM platform’s ability to detect this new threat by adding IDS signatures to detect malicious traffic and correlation rules that indicate a system compromised by StoneDrill. Learn more about these updates in the Threat Intelligence Update summary posted in our Forums, where you can keep up to date on the latest threat intelligence updates, product news, and engage with your fellow Aliens.

AlienVault Labs and the Open Threat Exchange (OTX) community will continue to monitor the behavior of these threats and will update the information in OTX when appropriate.


(1) “‘Shamoon’ virus most destructive yet for private sector, Panetta says,”

(2) “From Shamoon to StoneDrill, Wipers attacking Saudi organizations and beyond”

(3) “The Full Shamoon: How the Devastating Malware Was Inserted Into Networks,”

Share this with others

Get price Free trial