Findings linking new wiper malware, which was the focus of a recent FBI alert, to a crippling cyberattack on Sony Pictures Entertainment have emerged.
Earlier this week, news surfaced that the FBI was warning businesses that data-wiping malware had been used in a U.S. attack – which quickly led to speculation that Sony may have been the intended target of such exploits. The confidential “flash” alert (detailed Tuesday by Reuters and later published in part by Ars Technica) warned that the malware was capable of overwriting data on the master boot record (MBR), making it “extremely difficult and costly, if not impossible, to recover the data using standard forensics methods.”
According to Jaime Blasco, director at AlienVault Labs, who has continued to examine the so-called “destructive” malware, his research team has uncovered at least three variants of the malware detailed by the FBI.
In a Wednesday interview with SCMagazine.com, Blasco said he was able to link the malware samples he found to the FBI's findings using the indicators of compromise (IOCs) released by the agency.
“We cannot say if all of them have been used in the Sony attack,” Blasco said of the malware variants. “But we can tell that at least one malware sample we have found has been used in the Sony attack, because it contained information about the Sony internal network within the malware.”
Of note, Blasco found hardcoded names of servers in Sony's network contained in the malware, as well as a username and password set, which the malware used to connect to internal network servers, he explained.
In emailed commentary to SCMagazine.com, Blasco also said that attackers used the “Korean language in the systems they used to compile some of the pieces of malware.”
His findings come as reports continue to surface about North Korea's potential involvement in the Sony attack. Officials in the country recently expressed their disdain for a Sony Pictures movie, “The Interview,” slated to hit theaters this Christmas, as the comedy centers around a planned assassination on North Korean leader Kim Jong Un.
On Wednesday, security firm Trend Micro detailed its own findings on the malware described by the FBI. Calling the threat, “BKDR_WIPALL,” the company found several variants of the malware.
BKDR_WIPALL.A was notably encrypted with a set of user names and passwords, which were redacted in part in a screenshot taken by Trend Micro.
“Once logged in, the malware attempts to grant full access to everyone that will access the system root,” the Trend Micro blog post said. The other variant, BKDR_WIPALL.B, deletes users' files (a reference to the wiper component), and also disables the Microsoft Exchange Information Store service, a central data storage repository for Microsoft Exchange Server that contains mailbox store and public folder store data, as a description from the tech giant says.