Cybersecurity firm Kaspersky Lab announced Monday that it had discovered what it believes to be new malware from a hacking group that has, in the past, targeted United States military personnel and congressional staff.

The online threat group Charming Kitten — also known as Newscaster or NewsBeEF — first emerged in 2011 as a group using fake journalist profiles on social media to befriend targets. It then leveraged those relationships into phishing campaigns and malware distribution.

Now, according to Kasperky, the group is using malware Kaspersky has nicknamed “StoneDrill” that appears to be based on old, proprietary Charming Kitten code. StoneDrill would be a new wrinkle for Charming Kitten in that it is a type of malware known as a "wiper" — malware designed to delete files or systems.

StoneDrill embeds itself onto the memory used by a running web browser. It is designed to delete vast swaths of files, but will make a specific effort to delete any files with names beginning with “asdhgasdasdwqe” followed by numbers. Kaspersky is unaware of the potential significance of that naming convention for files.

ADVERTISEMENT

StoneDrill was discovered during Kaspersky’s investigations into Shamoon 2.0, a different wiper tool. Though there are similarities between the two types of malware, and while Kaspersky recognizes the possibility that the two are related, the company does not currently believe the same group is behind both Shamoon and Charming Kitten.

Shamoon is a wiper malware family that had disappeared for a number of years before suddenly reappearing at the end of 2016. It is most famous for an attack that wiped 35,000 computers at Saudi Aramco in 2012.

In the course of investigating Shamoon 2.0, Kaspersky found that the new “2.0” version of the malware has an added ransomware function, allowing it to extort a target by encrypting files and refusing to decrypt them until demands are met.

Kaspersky says it has found one instance of StoneDrill deployed in the wild from an European Union client. It has also found instances of the malware distributed in Saudi Arabia.

When Charming Kitten was initially discovered, many researchers attributed the attacker to Iran, due to its use of Iranian web infrastructure to control malware and Persian artifacts in the code. But Kaspersky's announcement on the new wiper tool didn't make a determination on the group's origin.