14 DAY TRIAL // Security experts managed to get a sample of the malware businesses in the US were warned about through an FBI “flash” communication late on Monday and discovered a strong connection to the threat used to clear Sony’s computers of data in the attack conducted on November 24.
The similarities between what transpired from the Sony incident and the law enforcement description of the malicious file were evident from the beginning, but researchers from Trend Micro discovered evidence that the pieces were one and the same.
Malware takes its time before wiping the data
During the analysis, Trend Micro noticed that a variant from the same malware family (dubbed WIPALL) dropped the same wallpaper plastered on the computers of Sony employees.
Carried out by Rhena Inocencio and Alvin Bacani, and with additional input from Joie Salvio, the analysis shows that, once it reaches the target computer, the malware relies on hard coded credentials.
“These user names and passwords are found to be encrypted by XOR 0x67 in the overlay of the malware sample and are then used to log into the shared network.
“Once logged in, the threat attempts to grant full access to everyone that will access the system root,” trend Micro says.
According to the report from the FBI, the wiping software creates a network share that can be accessed without any restrictions by other systems in the network.
The security company says that the WIPALL then drops a second file, called “igfxtrayex.exe” and detected as BKDR_WIPALL.B, which remains dormant for a period of 10 minutes before starting to wipe the data from the compromised computers.
Another action is stopping the Microsoft Exchange Information Store service; for the next two hours after this happens, the malware stays dormant again and then forces a system restart.
No details on the data exfiltration method
It appears that a malicious file impersonating Microsoft’s Internet Information Server (IIS) is added to the computer as well. This is later dropped during the infection propagation process, which is completed by executing copies of the malware with parameters for dropping and launching “iisvr.exe” and “usbdrv32.sys” (gives the attacker read/write permission for installed files), and for deleting all storage drives, local or remote. Overwriting the information seems to be the last stage of the attack.
The wallpaper has been discovered to be delivered through a different strain, detected by Trend Micro solutions as BKDR_WIPALL.C.
What is unclear is how the hackers managed to remove the amount of information they claim they have (tens of terabytes of data) and what has already been leaked on file sharing websites.
Attackers are still unknown
Haze also floats around the origin of the attackers. The only clue available is that the group calls itself Guardians of Peace (GoP).
Many have speculated that it may be North Korea trying to compel the studio to stop the release of “The Interview” comedy; but this has been denied by Pyongyang. Moreover, a spokesman for the country’s UN mission told the BBC that DPRK (North Korea) was blamed for everything. “I kindly advise you to just wait and see,” he added.
Sony has not pointed the finger towards North Korea either, and an inside job is not excluded either at this moment.
Was the Sony hack an inside job? Studio sources and security experts say probably. http://t.co/NA9JKNIcSQ
— Matthew Belloni (@THRMattBelloni) December 3, 2014
Sony statement re: Re/code North Korea story. Investigation ongoing into "very sophisticated attack...the re/code story is not accurate.”
— Matthew Garrahan (@MattGarrahan) December 3, 2014
