US-CERT released a not-so-cryptic advisory this weekend providing enterprises with indicators of compromise and detailed descriptions of the malware used against “a major entertainment company,” the Department of Homeland Security’s description of Sony Pictures Entertainment.
DHS describes in great detail a worm capable of moving its way through Windows Server Message Block network shares, conducting brute-force password attacks against protected network shares before dropping five other components, including destructive disk-crushing wiper malware.
The advisory was finalized on Saturday, less than a day after the FBI officially pinned the blame for the attack on North Korea and President Barack Obama, during a year-end news conference, said Sony made a mistake in canceling the Christmas Day premiere of the comedy movie The Interview.
“Due to the highly destructive functionality of this malware, an organization infected could experience operational impacts including loss of intellectual property and disruption of critical systems,” the US-CERT advisory said.
The worm acts as a dropper, leaving behind according to DHS, a listening implant, a lightweight backdoor, a proxy tool, a destructive hard drive tool, and a destructive target cleaning tool. The worm contains two threads, US-CERT said, the first calls home and sends back log data while the second attempts to guess passwords on new Windows Server Message Block connections. The worm calls home every five minutes with log data, sending it to one of a handful of command and control servers, and seeks out other SMB shares over port 445. If the brute-force attack works, a file share is established and the malware components are dropped and run on the new host.
Sony has been under siege since Nov. 24 when employees were greeted with a message on their workstations and threats from a hacker group calling themselves the Guardians of Peace. Since then, Sony has been subjected to numerous data leaks including unreleased movies and scripts made available online, to embarrassing email exchanges between executives, to the personal health care and contact information of employees released to Pastebin.
Security researchers in the meantime tied samples of the Destover wiper malware used against Sony to the Shamoon attack against Saudi Aramco and the DarkSeoul attacks against financial institutions and media outlets in South Korea. The links between attacks against Sony and the previous two attacks were solid, said Kaspersky Lab researcher Kurt Baumgartner who noted similarities in the use of the commercially available Eldos RawDisk driver files in the Shamoon and Destover attacks. He also said that wiper drivers are maintained in the dropper’s resource section (in Shamoon and Destover), and disk data and the MBR are overwritten with encoded political messages (Shamoon and DarkSeoul).
While Shamoon has been linked to Iran, DarkSeoul was tied to North Korea and it didn’t take long for investigators to make the same connection with Destover, despite doses of skepticism from security experts.
The DHS advisory is the first deep dive into the malware components left behind by the dropper, including the two wiper components, one which destroys hard drive data on the first four physical drives it encounters as well as the master boot record with an additional program designed to do additional damage if a machine is rebooted. If a user has only user-level privileges rather than admin-level, the amount of damage is lessened.
The advisory also provides insight into the backdoor, which can move files, system information, manipulate processes and also remote and command line code execution.
“This tool includes functionality to open ports in a victim host’s firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks,” the advisory said. “There are no callback domains associated with this malware since connections are inbound only on a specified port number.”
In addition to IOCs, the DHS advisory also contains a list of seven command and control servers located in Thailand, Poland, Italy, Bolivia, Singapore, Cypress and the United States.
