Threats Feed

Beginning in late 2016, Shamoon 2.0 and the newly discovered StoneDrill malware launched destructive wiper attacks against critical and economic sectors in Saudi Arabia, with evidence of StoneDrill reaching European targets. Shamoon 2.0, a successor to the 2012 Saudi Aramco attack tool, incorporated stolen administrator credentials, automated worm-like spreading, disk wiping, and even inactive ransomware capabilities. StoneDrill introduced advanced sandbox evasion, injected its payload into browsers, and targeted accessible files or full disks. Both malware families used obfuscation, anti-analysis tricks, and in Shamoon’s case, signed drivers for low-level destruction. StoneDrill shared code similarities with the NewsBeef (aka Charming Kitten) APT, suggesting broader regional targeting and actor overlap.

The BlackBerry Cylance threat research team's report offers a comprehensive analysis of the Disttrack malware, also known as Shamoon, renowned for its devastating attacks on system master boot records. The report traces the malware's history, its resurgence, and explores its technical operations, including network management capabilities and modular architecture. It particularly highlights Disttrack's impact on Saudi Arabia's critical infrastructure, demonstrating its potential for significant damage. This abstract succinctly captures the essence of the malware's threat and operational dynamics for a general audience.