S0380 StoneDrill
StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.12
| Item | Value |
|---|---|
| ID | S0380 |
| Associated Names | DROPSHOT |
| Type | MALWARE |
| Version | 1.1 |
| Created | 14 May 2019 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| DROPSHOT | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | StoneDrill has several VBS scripts used throughout the malware’s lifecycle.2 |
| enterprise | T1485 | Data Destruction | StoneDrill has a disk wiper module that targets files other than those in the Windows directory.2 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.001 | Disk Content Wipe | StoneDrill can wipe the accessible physical or logical drives of the infected machine.3 |
| enterprise | T1561.002 | Disk Structure Wipe | StoneDrill can wipe the master boot record of an infected computer.3 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | StoneDrill has been observed deleting the temporary files once they fulfill their task.2 |
| enterprise | T1105 | Ingress Tool Transfer | StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.2 |
| enterprise | T1027 | Obfuscated Files or Information | StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.2 |
| enterprise | T1055 | Process Injection | StoneDrill has relied on injecting its payload directly into the process memory of the victim’s preferred browser.2 |
| enterprise | T1012 | Query Registry | StoneDrill has looked in the registry to find the default browser path.2 |
| enterprise | T1113 | Screen Capture | StoneDrill can take screenshots.2 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | StoneDrill can check for antivirus and antimalware programs.2 |
| enterprise | T1082 | System Information Discovery | StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.2 |
| enterprise | T1124 | System Time Discovery | StoneDrill can obtain the current date and time of the victim machine.2 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes.2 |
| enterprise | T1047 | Windows Management Instrumentation | StoneDrill has used the WMI command-line (WMIC) utility to run tasks.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0064 | APT33 | 1 |
References
-
O’Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. ↩↩↩
-
Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. ↩↩