Two highly destructive wiper malware have been discovered targeting industries in the Middle East. Shamoon and Stonedrill appear to have the same goal of infecting and wiping hard drives of the victims.
Shamoon was originally detected back in 2012, when it attacked both Saudi Aramco and Rasgas. It vanished from the wilderness almost as quickly as it appeared only to resurface again in November 2016.
According to Kaspersky Lab, the new Shamoon 2.0 looks to have the same goal as the original. It targeted several Saudi Arabian economic centres, and seems to be continuing the same political statement against the Saudi Monarchy.
Stonedrill was accidentally discovered while Kaspersky searched for clues about Shamoon. This malware shares several traits with Shamoon, but appears to be far more sophisticated. It is also active in the same region, although one sample of Stonedrill has been discovered in Europe as well.
The main difference between Shamoon and Stonedrill happens to be that Shamoon contains comments made in Arabic, while Stonedrill contains Farsi language artefacts. These differences in language aren’t entirely proof that the two are not connected in any way.
Kaspersky has several theories on the existence of the two pieces of malware, but is inclined to believe that they come from two separate teams with aligned interests. Whether these two teams are actually working together is still unknown.
The goal of this malware is still relatively unknown. Kaspersky Lab has not raised the possibility that these could have come from state-sponsored attackers. Shamoon is likely to have come from hacktivists, considering the intent of the original attacks. What Stonedrill is up to is anyone’s guess.