Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. StoneDrill

StoneDrill

StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[1][2]

ID: S0380
Associated Software: DROPSHOT
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 14 May 2019
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description
DROPSHOT

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

StoneDrill has several VBS scripts used throughout the malware's lifecycle.[2]

Enterprise T1485 Data Destruction

StoneDrill has a disk wiper module that targets files other than those in the Windows directory.[2]
Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

StoneDrill can wipe the accessible physical or logical drives of the infected machine.[3]

.002 Disk Wipe: Disk Structure Wipe

StoneDrill can wipe the master boot record of an infected computer.[3]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

StoneDrill has been observed deleting the temporary files once they fulfill their task.[2]

Enterprise T1105 Ingress Tool Transfer

StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.[2]

Enterprise T1027 Obfuscated Files or Information

StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.[2]
Enterprise T1055 Process Injection

StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser.[2]
Enterprise T1012 Query Registry

StoneDrill has looked in the registry to find the default browser path.[2]
Enterprise T1113 Screen Capture

StoneDrill can take screenshots.[2]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

StoneDrill can check for antivirus and antimalware programs.[2]

Enterprise T1082 System Information Discovery

StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.[2]

Enterprise T1124 System Time Discovery

StoneDrill can obtain the current date and time of the victim machine.[2]

Enterprise T1497 Virtualization/Sandbox Evasion

StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes.[2]

Enterprise T1047 Windows Management Instrumentation

StoneDrill has used the WMI command-line (WMIC) utility to run tasks.[2]

Groups That Use This Software

ID Name References
G0064 APT33

[1]

References

  1. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  2. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  1. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.