Malicious file was created specifically for breaching Sony

Dec 4, 2014 21:56 GMT  ·  By

Experts in the security industry managed to piece clues together after analyzing a sample of the malware used in the recent Sony hack and inferred that the perpetrators had knowledge about the network prior to the intrusion.

Researchers at Trend Micro have found the connection between the malware (dubbed WIPALL) the FBI issued a warning for at the beginning of the week and the attack on Sony. The analysis hinted that the hackers, calling themselves Guardians of Peace (GoP), were already familiar with the network they breached.

Hard-coded IP linked to phishing attack in May

More evidence pointing to this theory came on Thursday, from security experts at Blue Coat, who also reviewed samples of the malware.

Due to its propagation mechanism, the researchers labeled it “a worm by definition.”

During the analysis of the threat, they found a text file with more than 10,000 mappings between internal host names and IP addresses, which shows that the digital premises were known to the intruders and they had a clear idea about the targeted machines.

The initial intrusion may have happened back in May, based on the intelligence gathered by Blue Coat’s URL scanner, WebPulse. The company recorded the traffic to one of the hard-coded IP addresses belonging to a web hosting company in Bolivia, and labeled it as a phishing attempt.

Studying a second sample of the threat, the researchers at Blue Coat discovered signs of previous intrusions. This one contained the commands for deleting the data on the affected system and used hard-coded credentials to connect to different machines on the network.

Modus operandi is similar to other attacks

One interesting detail is the fact that the wiping process was similar to other attacks in the past, attributed to hackers behind Shamoon-related incidents at Aramco, a Saudi Arabian oil company. Both Shamoon and GoP relied on the same third-party device drivers (commercially available EldoS RawDisk) to delete the information.

This resemblance was also confirmed by security researchers at Kaspersky in a blog post on Thursday, who noted other similarities, such as the fact that in both cases the components were compiled very closely to the attack date; they refer to the piece of malware as Destover.

One could speculate that the two groups shared knowledge, or that a key member of one group was involved in both incidents.

Sony has hired the incident response team from FireEye’s Mandiant to carry out a forensic analysis of the attack, and the FBI is also investigating the breach, which resulted in spilling plenty of sensitive data on file sharing websites.

Some media publications were quick at blaming North Korea for the incident, but Sony has not taken an official stance regarding the origin of the attack.

Blue Coat said that a Korean language resource was present in the first sample they analyzed, but this does not mean that the intruders are from North Korea. Moreover, a spokesman for the country’s UN mission told the BBC that it would be best to wait for the haze to lift before jumping to conclusions.

Signs of previous intrusion (5 Images)

Identity of GoP is unknown
Malware used hard-coded credentials to connect to machinesAssembly code for extracting the wallpaper image announcing the compromise
+2more