StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[1][2]

ID: S0380
Associated Software: DROPSHOT
Platforms: Windows
Version: 1.1
Created: 14 May 2019
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

StoneDrill has several VBS scripts used throughout the malware's lifecycle.[2]

Enterprise T1485 Data Destruction

StoneDrill has a disk wiper module that targets files other than those in the Windows directory.[2]

Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

StoneDrill can wipe the accessible physical or logical drives of the infected machine.[3]

.002 Disk Wipe: Disk Structure Wipe

StoneDrill can wipe the master boot record of an infected computer.[3]

Enterprise T1070 .004 Indicator Removal: File Deletion

StoneDrill has been observed deleting the temporary files once they fulfill their task.[2]

Enterprise T1105 Ingress Tool Transfer

StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.[2]

Enterprise T1027 Obfuscated Files or Information

StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.[2]

Enterprise T1055 Process Injection

StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser.[2]

Enterprise T1012 Query Registry

StoneDrill has looked in the registry to find the default browser path.[2]

Enterprise T1113 Screen Capture

StoneDrill can take screenshots.[2]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

StoneDrill can check for antivirus and antimalware programs.[2]

Enterprise T1082 System Information Discovery

StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.[2]

Enterprise T1124 System Time Discovery

StoneDrill can obtain the current date and time of the victim machine.[2]

Enterprise T1497 Virtualization/Sandbox Evasion

StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes.[2]

Enterprise T1047 Windows Management Instrumentation

StoneDrill has used the WMI command-line (WMIC) utility to run tasks.[2]

Groups That Use This Software

ID Name References
G0064 APT33