Register to stream ATT&CKcon 2.0 October 29-30


StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[1][2]

ID: S0380
Associated Software: DROPSHOT
Platforms: Windows
Version: 1.0

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
Enterprise T1485 Data Destruction StoneDrill has a disk wiper module that targets files other than those in the Windows directory. [2]
Enterprise T1488 Disk Content Wipe StoneDrill can wipe the accessible physical or logical drives of the infected machine. [3]
Enterprise T1487 Disk Structure Wipe StoneDrill can wipe the master boot record of an infected computer. [3]
Enterprise T1107 File Deletion StoneDrill has been observed deleting the temporary files once they fulfill their task. [2]
Enterprise T1027 Obfuscated Files or Information StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption. [2]
Enterprise T1055 Process Injection StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser. [2]
Enterprise T1012 Query Registry StoneDrill has looked in the registry to find the default browser path. [2]
Enterprise T1105 Remote File Copy StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine. [2]
Enterprise T1113 Screen Capture StoneDrill can take screenshots. [2]
Enterprise T1064 Scripting StoneDrill has several VBS scripts used throughout the malware's lifecycle. [2]
Enterprise T1063 Security Software Discovery StoneDrill can check for antivirus and antimalware programs. [2]
Enterprise T1082 System Information Discovery StoneDrill has the capability to discover the system OS, Windows version, architecture and environment. [2]
Enterprise T1124 System Time Discovery StoneDrill can obtain the current date and time of the victim machine. [2]
Enterprise T1497 Virtualization/Sandbox Evasion StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes. [2]
Enterprise T1047 Windows Management Instrumentation StoneDrill has used the WMI command-line (WMIC) utility to run tasks. [2]

Groups That Use This Software

ID Name References
G0064 APT33 [1]