Threats Feed|APT33|Last Updated 07/05/2025|AuthorCertfa Radar|Publish Date21/05/2018

APT33's Dropshot Malware: Advanced Evasion Techniques Unveiled

  • Actor Motivations: Sabotage
  • Attack Vectors: Wiper
  • Attack Complexity: Unknown
  • Threat Risk: Unknown

Threat Overview

APT33's Dropshot malware, also known as StoneDrill, targeted organizations primarily in Saudi Arabia. Dropshot, a sophisticated wiper malware, employs advanced anti-emulation techniques and string encryption to evade detection and analysis. The malware's high entropy suggests packed or compressed data, particularly in the .rsrc section, indicating hidden malicious content. This analysis focuses on decrypting the strings within Dropshot.

Detected Targets

TypeDescriptionConfidence
SectorEnergy
High
RegionSaudi Arabia
Verified

Extracted IOCs

  • 0ccc9ec82f1d44c243329014b82d3125
  • 279ff728023eeaa1715403ec823801bf3493f5ca
download

Tip: 2 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 2 file hash) to this threat have been found.

FAQs

Understanding the Dropshot Malware

Dropshot (also called StoneDrill) is a destructive malware used by a known hacking group. It’s designed to wipe data and make systems unusable.

The malware is linked to APT33, a group previously associated with cyber operations targeting the Middle East, especially Saudi Arabia.

Dropshot is a wiper, meaning its main goal is to destroy data and disrupt operations rather than steal information.

Organizations in Saudi Arabia were the primary targets, likely due to geopolitical interests.

It hides its real functionality by encrypting strings and dynamically loading needed system functions, making it hard for analysts to study.

Critical infrastructure and government-linked organizations in the Middle East are high-value targets due to regional tensions and strategic importance.

They should use advanced malware detection tools, monitor for signs of tampering like unusual memory activity, and stay updated on APT group indicators.

This appears to be a targeted attack rather than a broad campaign, but the techniques used can be adapted for wider use.