Destructive malware sounds redundant, like “serious crisis” or “end result.” In fact, it is the latest advancement in malware that takes the already cunning ways in which polymorphic malware enters and hides within a computing device and then downloads a payload that will destroy your network and data with military-like precision. So, what is it?
US-CERT (United States Computer Emergency Readiness Team) describes destructive malware as having: the capability to target a large scope of systems, and… potentially execute across multiple systems throughout a network. As a result, it is important for an organization to assess its environment for atypical channels for potential malware delivery and/or propagation throughout their systems.
Shamoon, the first version of destructive malware that can be broadly applied to civilian environments, was first spotted in the wild in 2012, when nation-state perpetrators, allegedly Iran, destroyed 35,000 Saudi Aramco workstations and put the energy company’s supply of 10 percent of the world’s oil in jeopardy. US-CERT described Shamoon as “an information-stealing malware that also includes a destructive module… render[ing] infected systems useless by overwriting the Master Boot Record (MBR), the partition tables, and most of the files with random data. Once overwritten, the data are not recoverable.”
The original Shamoon malware was made up of three primary functional components that set up the general template that later strains of destructive malware would follow:
Newer versions of destructive malware provide functional improvements over the original Shamoon malware. Shamoon 2.0, first reported in November 2016, reused 90 percent of the code of the original Shamoon, but it also comes with “a fully functional ransomware module, in addition to its common wiping functionality,” and installs a legitimate-looking driver that changes the infected computer’s system date to a random one between August 1–20, 2012 to “fool the driver’s license checks and evaluation period.”
StoneDrill, another type of destructive malware that was discovered around the same time as Shamoon 2.0, stylistically is similar to Shamoon 2.0, particularly its “heavy use of anti-emulation techniques in the malware, which prevents the automated analysis by emulators or sandboxes.” However, StoneDrill’s code is different, and it has even more dangerous properties than Shamoon 2.0, including:
- A disk wiper injected directly into the memory of the user’s preferred browser, rather than through drivers;
- More advanced anti-emulation techniques;
- External VBS scripts to run self-delete scripts.
According to Kaspersky Lab, StoneDrill has attacked several energy targets in Saudi Arabia and one target in Europe, but information about its impact on these targets has yet to be made public. The Shamoon 2.0 campaigns have reportedly broadened their scope to target other parts of Saudi Arabia’s infrastructure, including financial services and the public sector along with the energy sector. The scale of the campaign, which comprise multiple waves of attacks, suggested that it was the comprehensive operation of a nation-state that disrupted another nation using a coordinated attack.
Looking to understand how the latest in destructive malware is evolving to hide against other defenses? Read more about them in Cyber Threats on a Path to Destruction, our free, comprehensive guide for understanding those threats and how supervised machine learning is the key to detecting future threats.