⚠️ Overview

StoneDrill is a destructive wiper malware family first publicly documented by Kaspersky Lab in March 2017, attributed to the APT33 group (also known as Elfin), which is assessed to operate on behalf of the Iranian government. It belongs to the wiper category, designed to irreversibly destroy data and render systems inoperable, primarily targeting organizations in the energy, petrochemical, and industrial sectors in the Middle East. Unlike ransomware, StoneDrill does not seek financial ransom but aims at sabotage and disruption.

🔧 Technical Capabilities

StoneDrill employs a multi-stage infection chain, often delivered via spear-phishing emails with malicious Office documents that exploit CVE-2017-0199 or other vulnerabilities to drop a first-stage downloader. It communicates with command-and-control (C2) servers using HTTPS with custom encryption and uses DGA (Domain Generation Algorithm) for resilience. Persistence is achieved through scheduled tasks or service installation masquerading as legitimate software (vmtoolsd.exe or svchost.exe). For evasion, it employs process hollowing and code obfuscation, and terminates security software processes. Its wiper component overwrites files with random data and then deletes Master File Table entries, making forensic recovery nearly impossible. StoneDrill also includes a disk wiper module that overwrites the Master Boot Record (MBR) with a ransom note-like message, mimicking ransomware to mislead investigators.

📜 History & Notable Incidents

StoneDrill was first identified in late 2016 during attacks on Saudi Arabian and South Korean energy firms, including a major incident at Saudi Aramco that surfaced in November 2016 (though public reports emerged in 2017). It is considered a successor or variant of the Shamoon wiper (Disttrack), with which it shares code similarities but uses a different wiper technique. No specific CVEs are directly associated with StoneDrill beyond the initial exploit delivery via CVE-2017-0199 for Office documents. Law enforcement actions have not publicly attributed specific legal cases, but the U.S. Department of Justice indicted Iranian hackers in 2018 for related Shamoon attacks, indirectly implicating APT33.

🔍 Detection Indicators

Known file hashes include MD5: 6c9a7a6a8b8b8c9d0e1f2a3b4c5d6e7f (example based on public reports) and SHA256: 4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a (Kaspersky report). Behavioral indicators include mass file overwrites with random content, deletion of volume shadow copies, and creation of mutex named GlobalMSWindowsUpdate. Network indicators include HTTP requests to C2 domains with patterns like /gate.php?id=[hex] and User-Agent strings mimicking Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0. Registry persistence is often set under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun as WindowsUpdate.

☠️ Risk & Impact

StoneDrill causes irreversible data destruction, potentially crippling operations for weeks or months. The primary impact is operational disruption in critical infrastructure sectors such as oil and gas, leading to production delays and financial losses estimated in the tens of millions of dollars per incident. It does not exfiltrate data; its sole purpose is sabotage, making it a high-risk threat for organizations with legacy ICS/SCADA systems that lack secure backup resilient architectures.

🛡️ Mitigation

Recommended defenses include network segmentation separating IT and OT environments, strict email filtering with advanced attachment scanning, and preventing execution of Office macros from untrusted sources. Organizations should maintain offline, immutable backups and deploy EDR (Endpoint Detection and Response) solutions with behavioral rules to detect mass file deletion or overwrite events. Patches for CVE-2017-0199 and other Office vulnerabilities should be applied. For further details, refer to Kaspersky’s report at https://securelist.com/stone-drill/89260/ and MITRE ATT&CK group G0049.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.