Pierluigi Paganini December 04, 2014

TrendLabs has analyzed the Destructive malware mentioned in the FBI warnings recently issued and they have linked it to cyber attack against Sony Pictures.

Researchers at TrendLabs announced that they have identified the strain of malware that appears to have been used in the cyber attack against Sony Pictures systems by GOP (Guardians of Peace). The hackers have compromised the entire network and have stolen a huge amount of data, including unreleased movies, employee data and business sensitive information.

Sony Pictures is supporting the investigation conducted by the FBI and hired FireEye Mandiant to improve the incident response activities. A few days after the attack the FBI issued an alert to warn US businesses of a destructive strain of malware that had been utilized in an attack against a target in the U.S. Despite the FBI memo doesn’t explicitly mention Sony Pictures, but security experts are convicted that the Federal Bureau of Investigation is referring the attack on the entertainment company.

Experts at Trend Micro have detected the malware as BKDR_WIPALL, malware that in the first stage of the attack chain starts with BKDR_WIPALL.A, which is the main installer and is disguised as an executable file named “diskpartmg16.exe.”

The malware BKDR_WIPALL.A adopts the XOR 0x67 encryption to protect a set of usernames and passwords used to gain the access in the targeted organization’s shared network.

“These user names and passwords are found to be encrypted by XOR 0x67 in the overlay of the malware sample and are then used to log into the shared network. . Once logged in, the malware attempts to grant full access to everyone that will access the system root.” states Trend Micro in a blog post.

According to the experts the BKDR_WIPALL.A, once infected the machine drops on the target the BKDR_WIPALL.B agent, which is disguised as a file named “igfxtrayex.exe” and is the malware component responsible for causing damage. Once it’s dropped, BKDR_WIPALL.B sleeps for 10 minutes, after which it starts deleting files and stops the Microsoft Exchange Information Store service. The threat then sleeps for two hours and forces a system reboot.

The researchers explained that BKDR_WIPALL.B is also able to execute copies of itself with various parameters, a feature that allows the malware to carry out several tasks, including deleting files and dropping additional payloads. The additional component “usbdrv32.sys” for example gives attackers read/write access to installed files.

Which is the link with the Sony Pictures cyber attack?

The experts at Trend Micro discovered a different variant of the malware, dubbed BKDR_WIPALL.D, which drops BKDR_WIPALL.C, this agent in turn drops an image file called “walls.bmp,” which is the exact “Hacked by GOP” picture that was displayed on infected system at the Sony Pictures.

“This appears to be the same wallpaper described in reports about the recent Sony hack last November 24 bearing the phrase “hacked by #GOP.” Therefore we have reason to believe that this is the same malware used in the recent attack to Sony Pictures.” states Trend Micro.

The authorities and the company are still investigating on the attack.

To be continued …

Pierluigi Paganini

(Security Affairs –  TrendLabs, Sony Pictures)