The sub-techniques beta is now live! Read the release blog post for more info.


StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[1][2]

ID: S0380
Associated Software: DROPSHOT
Platforms: Windows
Version: 1.0
Created: 14 May 2019
Last Modified: 07 June 2019

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
Enterprise T1485 Data Destruction

StoneDrill has a disk wiper module that targets files other than those in the Windows directory.[2]

Enterprise T1488 Disk Content Wipe

StoneDrill can wipe the accessible physical or logical drives of the infected machine. [3]

Enterprise T1487 Disk Structure Wipe

StoneDrill can wipe the master boot record of an infected computer.[3]

Enterprise T1107 File Deletion

StoneDrill has been observed deleting the temporary files once they fulfill their task. [2]

Enterprise T1027 Obfuscated Files or Information

StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.[2]

Enterprise T1055 Process Injection

StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser.[2]

Enterprise T1012 Query Registry

StoneDrill has looked in the registry to find the default browser path.[2]

Enterprise T1105 Remote File Copy

StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine. [2]

Enterprise T1113 Screen Capture

StoneDrill can take screenshots. [2]

Enterprise T1064 Scripting

StoneDrill has several VBS scripts used throughout the malware's lifecycle. [2]

Enterprise T1063 Security Software Discovery

StoneDrill can check for antivirus and antimalware programs. [2]

Enterprise T1082 System Information Discovery

StoneDrill has the capability to discover the system OS, Windows version, architecture and environment. [2]

Enterprise T1124 System Time Discovery

StoneDrill can obtain the current date and time of the victim machine. [2]

Enterprise T1497 Virtualization/Sandbox Evasion

StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes. [2]

Enterprise T1047 Windows Management Instrumentation

StoneDrill has used the WMI command-line (WMIC) utility to run tasks.[2]

Groups That Use This Software

ID Name References
G0064 APT33 [1]