JUST RELEASED: ATT&CK for Industrial Control Systems


StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[1][2]

ID: S0380
Associated Software: DROPSHOT
Platforms: Windows
Version: 1.0
Created: 14 May 2019
Last Modified: 07 June 2019

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
Enterprise T1485 Data Destruction

StoneDrill has a disk wiper module that targets files other than those in the Windows directory.[2]

Enterprise T1488 Disk Content Wipe

StoneDrill can wipe the accessible physical or logical drives of the infected machine. [3]

Enterprise T1487 Disk Structure Wipe

StoneDrill can wipe the master boot record of an infected computer.[3]

Enterprise T1107 File Deletion

StoneDrill has been observed deleting the temporary files once they fulfill their task. [2]

Enterprise T1027 Obfuscated Files or Information

StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.[2]

Enterprise T1055 Process Injection

StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser.[2]

Enterprise T1012 Query Registry

StoneDrill has looked in the registry to find the default browser path.[2]

Enterprise T1105 Remote File Copy

StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine. [2]

Enterprise T1113 Screen Capture

StoneDrill can take screenshots. [2]

Enterprise T1064 Scripting

StoneDrill has several VBS scripts used throughout the malware's lifecycle. [2]

Enterprise T1063 Security Software Discovery

StoneDrill can check for antivirus and antimalware programs. [2]

Enterprise T1082 System Information Discovery

StoneDrill has the capability to discover the system OS, Windows version, architecture and environment. [2]

Enterprise T1124 System Time Discovery

StoneDrill can obtain the current date and time of the victim machine. [2]

Enterprise T1497 Virtualization/Sandbox Evasion

StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes. [2]

Enterprise T1047 Windows Management Instrumentation

StoneDrill has used the WMI command-line (WMIC) utility to run tasks.[2]

Groups That Use This Software

ID Name References
G0064 APT33 [1]