Blue Coat Labs
Custom Sony Malware Indicates Previous Knowledge
Custom Sony Malware Indicates Previous Knowledge
December 4, 2014
Thanks to Waylon Grange and Snorre Fagerland for their help during analysis.
As conflicting news reports continued around Sony Entertainment’s breach, the first malware samples became publicly available yesterday. This allowed deeper analysis to begin understanding part of what occurred. What follows is a summary analysis of those samples.
Before diving in, how do we know these samples are related to the Sony breach? The most convincing evidence is that the #GOP splash screen was encoded in the resource section of one sample and saved to C:\Windows\wall.bmp
The first sample reviewed is a worm by definition that spreads via SMB (md5: 2618dd3e5c59ca851f03df12c0cab3b8). Inside was a text file that contained over 10,000 mappings between internal host names and IP addresses. This indicates the attackers had already performed recon of the network and knew what machines they were interested in targeting. Further indication of the attacker’s previous infiltration is from the use of credentials that were hard coded into the sample. This indicates that previous access was obtained before this sample was deployed, but more importantly that it was designed specifically for Sony’s network.
There were reports the attackers are from North Korea due to displeasure in an upcoming Sony Pictures comedy film involving the assassination plot of Kim Jong-un. We won’t speculate one way or another, but can confirm there was a Korean language resource section in the first sample.
This sample also had three external IP addresses hard-coded inside:
Blue Coat’s WebPulse system recorded traffic to 126.96.36.199 at least as far back as May 2014 in what appears to be a phishing style webpage. The IP address belongs to Entel, a Bolivian telecommunication company. A top referrer to this IP address was bec[.]com[.]bo, which has had individual URLs marked as phishing or suspicious in the Blue Coat database since 2012. Based on whois information, the BEC domain itself appears to be affiliated with MegaLink SRL which offers web hosting and Internet access in La Paz Bolivia.
Also embedded was a second sample (b80aa583591eaf758fd95ab4ea7afe39) which contains the functionality for wiping the system. The second sample further indicates previous intrusions. During behavioral analysis in Blue Coat’s Malware Analysis Appliance (MAA), it was observed the sample made several attempts to connect to machines with hard-coded credentials. The account name used was consistent, indicating the attackers previously compromised (or created) the account.
During the analysis, after ten attempts to connect to one of the local systems, the process of wiping the hard drive began. This was accomplished with the legitimate 3rd party device driver that allows raw disk access from ElDOS. Interestingly, these were the same drivers used by the Shamoon attacks in 2012. Similarities of the attackers end there. It is also worth noting this second sample was correctly analyzed and detected by MAA 4.2.1 (currently in Beta) due to a new feature that allows detecting and by-passing abnormal sleeps.
Neither sample was particularly complex - apparently no more than was necessary to be effective. No binary packing, obfuscation of the samples, or anti-debugging techniques were observed. Some effort was taken to encode the resources, including the splash image, and two drivers. The first driver was the raw disk driver already mentioned. The second was kProcessHacker, which is an open-source driver used to watch and modify processes on the system.
As an example, the assembly code shown to the left is used to extract the image. Notice the “%s\\walls.bmp” near the bottom of the top box, where it is appended to the result of the GetWindowsDirectoryW call. Just prior to getting the Windows directory the attackers made a call to a function that we have labeled “decode”. Which is the next piece of assembly code shown below and used to decrypt the three embedded resources.
The first block includes the encryption seed values used in the third block. The third block is a typical XOR decoder, looping through the data. There is nothing earth-shattering or advanced in this technique of hiding resources.
While time and further investigation by Sony Entertainment’s incident response team and law enforcement authorities may prove parts of the breach were advanced, these samples don’t show a high level of sophistication. The intrusion was executed successfully, so the perceived skill level (based on the sample) is less important than the fact that it was effective. The host file with over ten thousand entries, and hard-coded credentials imply planning and previous knowledge gained. Prevention is ideal, but detection is mandatory. This is even more important when dealing with lateral movement inside a network.
As an aside, this particular sample highlights the value of a network architecture where workstations
cannot talk to each. While host-to-host file sharing, and communication can be convenient, it makes lateral movement for an attacker far easier. Workstations need to talk to servers and printers, but rarely have a legitimate reason to talk directly to each other. This worm would be ineffective in that architecture and it would allow closer monitoring (with Blue Coat's Security Analytics for example) at key choke points, improving the odds of detecting laternal movement early.