Skip to content

S0380 StoneDrill

StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.12

Item Value
ID S0380
Associated Names DROPSHOT
Version 1.1
Created 14 May 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic StoneDrill has several VBS scripts used throughout the malware’s lifecycle.2
enterprise T1485 Data Destruction StoneDrill has a disk wiper module that targets files other than those in the Windows directory.2
enterprise T1561 Disk Wipe -
enterprise T1561.001 Disk Content Wipe StoneDrill can wipe the accessible physical or logical drives of the infected machine.3
enterprise T1561.002 Disk Structure Wipe StoneDrill can wipe the master boot record of an infected computer.3
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion StoneDrill has been observed deleting the temporary files once they fulfill their task.2
enterprise T1105 Ingress Tool Transfer StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.2
enterprise T1027 Obfuscated Files or Information StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.2
enterprise T1055 Process Injection StoneDrill has relied on injecting its payload directly into the process memory of the victim’s preferred browser.2
enterprise T1012 Query Registry StoneDrill has looked in the registry to find the default browser path.2
enterprise T1113 Screen Capture StoneDrill can take screenshots.2
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery StoneDrill can check for antivirus and antimalware programs.2
enterprise T1082 System Information Discovery StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.2
enterprise T1124 System Time Discovery StoneDrill can obtain the current date and time of the victim machine.2
enterprise T1497 Virtualization/Sandbox Evasion StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes.2
enterprise T1047 Windows Management Instrumentation StoneDrill has used the WMI command-line (WMIC) utility to run tasks.2

Groups That Use This Software

ID Name References
G0064 APT33 1