Breach, Data Security, Malware

Analysis of wiper malware, implicated in Sony breach, exposes Shamoon-style attacks

Findings linking new wiper malware, which was the focus of a recent FBI alert, to a crippling cyberattack on Sony Pictures Entertainment have emerged.

Earlier this week, news surfaced that the FBI was warning businesses that data-wiping malware had been used in a U.S. attack – which quickly led to speculation that Sony may have been the intended target of such exploits. The confidential “flash” alert (detailed Tuesday by Reuters and later published in part by Ars Technica) warned that the malware was capable of overwriting data on the master boot record (MBR), making it “extremely difficult and costly, if not impossible, to recover the data using standard forensics methods.”

According to Jaime Blasco, director at AlienVault Labs, who has continued to examine the so-called “destructive” malware, his research team has uncovered at least three variants of the malware detailed by the FBI.

In a Wednesday interview with SCMagazine.com, Blasco said he was able to link the malware samples he found to the FBI's findings using the indicators of compromise (IOCs) released by the agency.

“We cannot say if all of them have been used in the Sony attack,” Blasco said of the malware variants. “But we can tell that at least one malware sample we have found has been used in the Sony attack, because it contained information about the Sony internal network within the malware.”

Of note, Blasco found hardcoded names of servers in Sony's network contained in the malware, as well as a username and password set, which the malware used to connect to internal network servers, he explained.

In emailed commentary to SCMagazine.com, Blasco also said that attackers used the “Korean language in the systems they used to compile some of the pieces of malware.”

His findings come as reports continue to surface about North Korea's potential involvement in the Sony attack. Officials in the country recently expressed their disdain for a Sony Pictures movie, “The Interview,” slated to hit theaters this Christmas, as the comedy centers around a planned assassination on North Korean leader Kim Jong Un.

On Wednesday, security firm Trend Micro detailed its own findings on the malware described by the FBI. Calling the threat, “BKDR_WIPALL,” the company found several variants of the malware.

BKDR_WIPALL.A  was notably encrypted with a set of user names and passwords, which were redacted in part in a screenshot taken by Trend Micro.

“Once logged in, the malware attempts to grant full access to everyone that will access the system root,” the Trend Micro blog post said. The other variant, BKDR_WIPALL.B, deletes users' files (a reference to the wiper component), and also disables the Microsoft Exchange Information Store service, a central data storage repository for Microsoft Exchange Server that contains mailbox store and public folder store data, as a description from the tech giant says.

The backdoor will then sleep for two hours, and force the system to reboot, Trend Micro said. “Additionally, BKDR_WIPALL.B accesses the physical drive that it attempts to overwrite,” the blog added.

Offering a potential connection to the Sony attack, Trend Micro updated it blog post to detail two more variants of WIPALL. One variant (WIPALL.D) was used to drop another malware variant (WIPALL.C), which then drops a wallpaper file in the Windows directory. The wallpaper displayed the message, “hacked by #GOP,” or the “Guardians of Peace,” a group that claims to have hacked Sony and, subsequently dumped a massive amount of corporate data online.

“Therefore we have reason to believe that this is the same malware used in the recent attack [of] Sony Pictures,” Trend Micro concluded.

AlienVault's Blasco, who examined the attack methods of the group using the wiper malware, said “it was hard to tell,” so far, if the attacks were nation state-linked or hacktivist in nature.

He did say that the techniques used by perpetrators was “very similar to Shamoon,” (malware that struck oil company Saudi Aramco in August 2012 wiping data from machines) and a wiper trojan, called Jokra, used by the Dark Seoul cyber gang that targeted South Korean banks and news organizations last year.

“I'd have to see more details on similarities between the malware samples, but it's likely that some of the techniques they used are more or less the same. It could also be a copycat [attack] from different attackers,” Blasco said.

In a Thursday blog post, Symantec, which initially shed light on the Dark Seoul attacks, corroborated such theories about the malware detailed in the FBI flashing warning. The firm did not mention a Sony tie, however, in its findings.

Symantec detects the malware as “Backdoor.Destover,” and revealed that some samples of the malware shared similarities with Jokra and Shamoon.

“Destover also shares some techniques and component names with the Jokra attacks against South Korea in 2013,” the blog post said. “However there is no hard evidence as yet to link the attacks and a copycat operation can't be ruled out. Links also exist to the Shamoon attacks, with both attackers using the same, commercially available drivers. However, in this instance it appears highly unlikely that the same group was behind both attacks and instead it would appear that the Destover attacks copied techniques from Shamoon,” the firm said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.