Researchers at Damballa have discovered a toolset that may have helped the Destover and Shamoon malware remain undetected when they used to hack Sony and Saudi Aramco.
The revelation took place while Damballa was investigating a new sample of Destover when two new utilities were found that could stealthily move through a network work. Both enabled the Sony and Saudi Aramco hackers to avoid detection and stay inside the compromised systems for months.
“We came across two files that were identified by one antivirus product at the time under a generic signature. After analyzing further, we found two utilities closely related to Destover. Both utilities would be used during an attack to evade detection while moving laterally through a network to broaden the attack surface. Both utilities had usage statements and were named as setMFT and afset,” said Damballa senior threat researchers Willis McDonald and Loucif Kharouni.
The setMFT utility copies the timestamp from the source file to a destination file, also known as timestomping, which enabled the malware to blend in with the legitimate files in that directory making it difficult for security folks to find.
Afset is another timestomping device that also cleans out Microsoft Windows logs, changes the PE build time and checksum. The difference is afset provides a tighter control allowing the user to specify only certain files for timestomping.
“The afset sample we obtained appeared to be incomplete or a partial development version. The sample attempted to write a randomly named file with a .sys extension to the local directory with the contents of the “ICONS” resource which is supposed to be the encoded RawDisk driver. However, it failed to decode on execution, the report stated.
To find setMFT and afset malware Damballa recommended using the software tool YARA.