Malware used in the recent banking cyberheists is linked to Sony Pictures hack

Experts at the BAE security firms collected evidence that demonstrates the malware used in the recent cyberheists is linked to 2014 Sony Pictures hack.

A second bank was a victim of a malware-based attack, the news was recently confirmed by the SWIFT. The investigation conducted by the security researchers at BAE Systems are making the situation very intriguing because according to experts the cyberheist at the Bangladesh Bank, and at an unnamed commercial bank in Vietnam are linked could be linked to the clamorous Sony Pictures hack.

At the time of the Sony hack, the US authorities blamed the North Korea for the attack, the Obama administration decided to exacerbate the economic sanctions against 10 senior North Korean officials and three entities of the country.

At this point we have two options, the North Korea is targeting the global financial or we are in front of a false flag operation conducted by someone that is conducting a diversionary operation relying on the code used in the Sony hack.

Security experts Sergei Shevchenko and Adrian Nish from BAE Systems have collected evidence of the link between the malware used in the recent cyber attacks against the financial institutions and the malicious code used to compromise Sony Pictures systems in 2014.

The security duo has demonstrated that the malware used in the attacks against the banks relies on the same wiper component.

“The implementation of this function is very unique – it involves complete filling of the file with the random data in order to occupy all associated disk sectors, before the file is deleted. The file-delete function itself is also unique – the file is first renamed into a temporary file with a random name, and that temporary file is also deleted.” states the analysis published by the experts.

Extending their analysis to previous malware samples with similar features, the duo has found one wiper component called msoutc.exe. The wiper component was compiled on Oct. 24, 2014 and first uploaded to the malware database on March 4, 2016, by a US users.

The wiper-malware once executed checks if there is another instance of itself running on the infected system to prevent multiple copies of the same malware running on it.

If it finds another running instance it runs a script to delete itself from the system.

The experts also discovered that the malicious code encrypted its log file with a key:

y@s!11yid60u7f!07ou74n001

exactly the same key used by another destructive malware reported by PwC in 2015 and also described in the Alert TA14-353A issued by the US CERT in December 2014 following the Sony Pictures hack.

Shevchenko and Nish confirmed that the script used by the malware to erase itself from the infected machine is the same reported in the analysis published by the Novetta security firm on a malware used by the Lazarus APT Group. That’s the group Novetta blamed for the Sony Pictures attack in its report “Operation Blockbuster.”

“Further details of this same toolkit were disclosed in the ‘Op Blockbuster’ report in February 2016. msoutc.exe matches the description of the ‘Sierra Charlie’ variants in their report. From their analysis this is described as a spreader type of malware, presumably used to gain a foothold on multiple devices within a target environment before launching further actions.” continues the report.

Despite the revelations made by Shevchenko and Nish, it is possible that a threat actor reused the code of the Sony Pictures hack to make harder the attribution, but the duo seems to have a different opinion:

“The overlaps between these samples provide strong links for the same coder being behind the recent bank heist cases and a wider known campaign stretching back almost a decade,” they concluded.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Sony Pictures hack, Bangladesh attack)