Shamoon 2.0 and StoneDrill Revive Wiper Threats Across Saudi and European Targets
- Actor Motivations: Sabotage
- Attack Vectors: Compromised Credentials,Backdoor,Ransomware,Wiper
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
Threat Overview
Beginning in late 2016, Shamoon 2.0 and the newly discovered StoneDrill malware launched destructive wiper attacks against critical and economic sectors in Saudi Arabia, with evidence of StoneDrill reaching European targets. Shamoon 2.0, a successor to the 2012 Saudi Aramco attack tool, incorporated stolen administrator credentials, automated worm-like spreading, disk wiping, and even inactive ransomware capabilities. StoneDrill introduced advanced sandbox evasion, injected its payload into browsers, and targeted accessible files or full disks. Both malware families used obfuscation, anti-analysis tricks, and in Shamoon’s case, signed drivers for low-level destruction. StoneDrill shared code similarities with the NewsBeef (aka Charming Kitten) APT, suggesting broader regional targeting and actor overlap.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Energy | High |
| Region | Saudi Arabia | Verified |
| Region | European Countries | Verified |
Extracted IOCs
- service1.chrome-up[.]date
- service.chrome-up[.]date
- webmaster.serveirc[.]com
- www.actdire[.]com
- www.chrome-up[.]date
- www.chromup[.]com
- www.eservic[.]com
- www.securityupdated[.]com
- 00c417425a73db5a315d23fac8cb353f
- 0ccc9ec82f1d44c243329014b82d3125
- 1493d342e7a36553c56b2adea150949e
- 271554cff73c3843b9282951f2ea7509
- 2cd0a5f1e9bcce6807e57ec8477d222a
- 33a63f09e0962313285c0f0fb654ae11
- 38f3bed2635857dc385c5d569bbc88ac
- 41f8cd9ac3fb6b1771177e5770537518
- 42f883d029b47f9d490a427091da3f5d
- 5446f46d89124462ae7aca4fce420423
- 548f6b23799f9265c01feefc6d86a5d3
- 5bac4381c00044d7f4e4cbfd368ba03b
- 63443027d7b30ef0582778f1c11f36f3
- 697c515a46484be4f9597cb4f39b2959
- 6a7bff614a1c2fd2901a5bd1d878be59
- 6bebb161bc45080200a204f0a1d6fc08
- 7772ce23c23f28596145656855fd02fc
- 7946788b175e299415ad9059da03b1b2
- 7edd88dd4511a7d5bcb91f2ff177d29d
- 7f399a3362c4a33b5a58e94b8631a3d5
- 8405aa3d86a22301ae62057d818b6b68
- 8712cea8b5e3ce0073330fd425d34416
- 8e67f4c98754a2373a49eaf53425d79a
- 8fbe990c2d493f58a2afa2b746e49c86
- 940cee0d5985960b4ed265a859a7c169
- 9d40d04d64f26a30da893b7a30da04eb
- aae531a922d9cca9ddca3d98be09f9df
- ac3c25534c076623192b9381f926ba0d
- ac4d91e919a3ef210a59acab0dbb9ab5
- ac8636b6ad8f946e1d756cd4b1ed866d
- af053352fe1a02ba8010ec7524670ed9
- b4ddab362a20578dc6ca0bc8cc8ab986
- baa9862b027abd61b3e19941e40b1b2d
- c843046e54b755ec63ccb09d0a689674
- d30cfa003ebfcd4d7c659a73a8dce11e
- da3d900f8b090c705e8256e1193a18ec
- dc79867623b7929fd055d94456be8ba0
- e3a82d1db3ae8b189d2e1e0a22d6c82f
- ec010868e3e4c47239bf720738e058e3
- efab909e4d089b8f5a73e0b363f471c1
- fb21f3cea1aa051ba2a45e75d46b98b8
- 105ee777ad31a58301310719b49c7b6a7e957823e4dabbfeaa6a14e313008c1b
- 128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd
- 394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b
- 4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6
- 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34
- 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842
- 62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260
- 69530d78c86031ce32583c6800f5ffc629acacb18aac4c8bb5b0e915fc4cc4db
- 772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5
- bf79622491dc5d572b4cfb7feced055120138df94ffd2b48ca629bb0a77514cc
- c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a
- eaee62a8238189e8607b24c463a84c83c2331a43b034484972e4b302bd3634d9
Tip: 61 related IOCs (0 IP, 8 domain, 0 URL, 0 email, 53 file hash) to this threat have been found.
Overlaps
Source: McAfee - December 2018
Detection (one case): 41f8cd9ac3fb6b1771177e5770537518
Source: Megabeets - June 2018
Detection (one case): 697c515a46484be4f9597cb4f39b2959
Source: Megabeets - May 2018
Detection (one case): 0ccc9ec82f1d44c243329014b82d3125
Source: Mandiant - September 2017
Detection (five cases): 0ccc9ec82f1d44c243329014b82d3125, 8e67f4c98754a2373a49eaf53425d79a, fb21f3cea1aa051ba2a45e75d46b98b8, www.chromup[.]com, www.securityupdated[.]com
Source: Blackberry - February 2017
Detection (six cases): 128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd, 394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b, 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34, 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842, 772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5, c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a
Source: Unit 42 - February 2017
Detection (two cases): service.chrome-up[.]date, service1.chrome-up[.]date
Source: Vin Ransomware - February 2017
Detection (five cases): 128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd, 394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b, 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34, 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842, c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a
Source: Mandiant - December 2016
Detection (two cases): ac4d91e919a3ef210a59acab0dbb9ab5, c843046e54b755ec63ccb09d0a689674
Source: Palo Alto Networks - November 2016
Detection (seven cases): 128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd, 394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b, 4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6, 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34, 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842, 772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5, c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.
FAQs
Understanding the Shamoon 2.0 and StoneDrill Wiper Attacks
Two highly destructive malware campaigns—Shamoon 2.0 and StoneDrill—targeted organizations primarily in Saudi Arabia starting in late 2016. These attacks wiped data from infected machines, rendering them unusable.
The actors are not definitively attributed, but Shamoon has previously been linked to a group called the Cutting Sword of Justice. StoneDrill shows links to another group known as NewsBeef or Charming Kitten.
The aim was destruction. Shamoon 2.0 and StoneDrill were designed to wipe or encrypt systems within targeted organizations, effectively disabling operations and causing widespread damage.
The main targets were in Saudi Arabia, especially in critical and economic sectors. However, StoneDrill also reached at least one organization in Europe, suggesting expanding geographic interest.
Yes. Critical infrastructure and economic sectors in Saudi Arabia were specifically targeted, likely due to their strategic importance.
Attackers used stolen administrator credentials to move through networks and deploy wiper payloads. The malware activated automatically at preset times, wiping or encrypting data and rebooting systems.
Critical infrastructure and economic institutions represent strategic national assets. Disrupting them can serve political, economic, or ideological purposes.
Organizations should enforce strict credential management, segment networks, monitor endpoints for suspicious behavior, and be prepared with tested incident response plans.
These were targeted attacks, but they highlight techniques that could be reused elsewhere. Organizations with similar profiles should consider themselves at risk.