Regarding the hacking, a Sony spokesperson told that the company is “working closely with law enforcement to address it.

Hacker Group Guardians of Peace (#GOP) took credit for this infamous attack and threatened to release the stolen data if their conditions are not met.

Since then #GOP has started releasing stolen information on the Internet. The hackers claim that they have about 111 TB of Sony data which will be leaked if Sony did not capitulate to their demands.

Following this attack FBI has sent out Flash Alert warning law enforcement agencies of a cyber attack using wiper malware this week. Wiper Trojan is the section of the Shamoon agent responsible for destroying data on the infected machine’s hard drives.  The language pack referenced by the malicious files is Korean. The malware files used in Sony attack are similar to the malwares used to attack South Korean companies last year.

So far Five DVD screeners of Sony pictures were released online through torrent. Four out of the films have not been released in theatres yet. The movies have been downloaded over 2 million times.

List of movies leaked:

  • Fury (Released)
  • Annie (Release Date: Dec. 19)
  • Mr. Turner (Release date: Dec. 19)
  • Still Alice (Release date: Dec. 5)
  • To Write Love on Her Arms (Release date: March 2015)

The following files are released through links posted to Pastebin and now circulating on file sharing networks:

  • Password databases, security certificates, MAC addresses for workstations and servers and the usernames of every person with SUDO access
  • A spreadsheet including the names, birth dates, home address and social security numbers of 3,803 employees of Sony Pictures
  • Payroll breakdowns for the entire company in a spreadsheet
  • A spreadsheet detailing all the Sony Pictures employees terminated in 2014, including cause for termination
  • Employee performance reviews
  • The social security numbers of more than 47,000 current and former employees, including celebrities like Sylvester Stallone
  • Salaries for top executives
  • Number of pilot scripts for the 2014 TV seasons
  • Personal information of individuals who worked at Sony Pictures from as far back as 2000

The malware used in the Sony Entertainment attack is named as Backdoor.Destover (by Symantec), is a wiper Trojan capable of wiping disk drives. Below we share our analysis of the wiper malware.  We will conclude with additional thoughts on how users can better protect their network against such emerging advanced threats.

Targeted Attack

This Trojan uses stored user name and password combination to get access to the other machines. The usage of stored credentials by the Trojan adds evidence to the fact that this attack is targeted to breach Sony Pictures Entertainment Network (SPE).  Needless to say, previous steps of the attack campaign must have gathered the list of credentials.

clip_image001

Fig 1: Config File with usernames and passwords

 

Analysis

This sample had three external IP addresses hard-coded inside:

  • 212.31.102.100
  • 58.185.154.99
  • 200.87.126.116

The execution flow of the Trojan:

 

clip_image002

Fig 2: Code Flow

 

Main Dropper:

MD5: D1C27EE7CE18675974EDF42D4EEA25C6

This file when executed on the system launches itself with switch -i to register itself as a service with name  WinsSchMgmt that executes with switch -k.

 

 

Dropped File:

igfxtrayex.exe

MD5: 760c35a80d758f032d02cf4db12d3e55

This file copies itself as taskhost%random%.exe (where %random% is 3 random characters) and executes with different switches to exhibit various malicious actions.

taskhost%random%.exe takes the following switches:

  • -w: drops and starts web server to display warning message
  • -m: drops eldos driver to system that is used to write to hard disk directly
  • -d: deletes all files on the system other than exe and dlls

Malware drop several copies of itself with names similar to windows system files and executes them with the above mentioned switches.

clip_image005

Fig 3: taskhost{random.exe} launched with different switches

Malware decrypts and drops the following files from its resource (ICON_PACKAGES) depending upon the switches:

  • net_ver.dat
  • ·Iissvr.exe
  • usbdrv3.sys

clip_image006

Fig 4: Resource ICON_PACKAGES containing encrypted files

clip_image008

Fig 5: Code to decrypt the embedded files in resource

This Trojan uses encrypted config file embedded in the resource that has several IP addresses later used for C&C communication.

clip_image009

Fig 6: net_ver.dat (Config file)

 

Functionalities displayed by taskhost%random%.exe:

-w switch:

Drops decrypted (from resource) iissvr.exe to the windows directory.

MD5:E1864A55D5CCB76AF4BF7A0AE16279BA

iissvr.exe hosts a http web server (port 80 ) on the infected machine.

clip_image010

Fig 7: iissvr.exe process creation

clip_image012

Fig 8: iissvr.exe

iissvr.exe runs a web server only to show the warning message in your browser if you visit http://localhost in your web browser.

The warning page hosted at local webserver (iissvr.exe):

clip_image014

Fig 9: Warning page

-m switch:

Drops usbdrv3.sys in %temp% directory

MD5: 6AEAC618E29980B69721158044C2E544

Signed : EldoS Corporation (by GlobalSign Time Stamping Authority)

clip_image016

Fig 10: EldoS driver

This signed driver is a part of Eldos RawDisk library that offers user mode applications direct access to files, disks and partitions of the disks bypassing security limitations of Windows OS. The driver has been also used with previous versions of wiper to directly write to hard disk.

It registers usbdrv3. sys driver as a service named usbdrv3.

clip_image017

Fig 11: Driver Started as a service

It communicates with Eldos driver service by acquiring the handle for:

\\?\ElRawDisk\??\\PhysicalDrive2#99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C78585B692047273B0E55275102C664C5217E76B8E67F35FCE385E4328EE1AD139EA6AA26345C4F93000DBBC7EF1579D4F

clip_image019

Fig 12: Handle opened to EIRawDisk

It sends string of “AAAAA”s in a loop to the Eldos driver requesting it to write directly to the hard disk.

clip_image020

Fig 12: A’s written to the disk using the driver

-d switch:

It deletes all files in the system except the files with extension exe and dll.

clip_image022

Fig 13: Delete files on the system

 

The malware is also known to wipe out network drives.

 

Conclusion

In comparison to many reported breaches with retail stores, recent Sony attacks seem to be motivated by corporate espionage, political activism, or international politics, as opposed to financial. There is significant sophistication in tactics, techniques, and procedure (TTP) worth noting, e.g. delivery of attack payloads and configuration in the resource section of the dropper, extensive use of encryption, use of multiple attack components and Windows service objects. The best defense against such attacks requires an approach that continuously monitors network activities and file movements, detects threat activities across threat kill chain, and correlates observations across the enterprise network.

Wiper is a complex piece of malware used to carry out targeted attacks. We can expect more malware adopting similar design and tactics in the future. Cyphort’s threat defense platform detects all the Wiper Trojans related to Sony hack attack.

Thanks to Paul Kimayong, Marion Marschalek and rest of Cyphort Labs for their help.