Sony Pictures appeared to have been targeted by a destructive Trojan (Dec 3, 2014)


Sony Corp has been in the news again for being the victim of a major attack that led to a number of Sony films to be leaked onto file-sharing sites. A group calling themselves Guardians of Peace (GOP) has taken the responsibility for these attacks. If few media sources are to be believed, the motive for this attack seems rather outlandish. Some believe that this attack is a retaliation against Sony Picture’s upcoming movie The Interview which revolves around a CIA plot to kill the North Korean leader Kim Jong-Un. Shortly after this attack the Federal Bureau of Investigation issued a flash warning message to U.S. businesses indicating presence of a destructive threat.

Dell SonicWALL Threats Research team has obtained variants of samples described. The analysis is below.

Infection Cycle:

  • It drops the following files that have been associated with the attack:
    • igfxtrayex.exe [Detected as GAV: Wiper.A (Trojan)]
    • net_ver.dat

  • Net_ver.dat appears to be a list of IP addresses of its target victim.
  • It establishes connection to multiple IPs as listed in the net_ver.dat file and thereby attempts to perform a SYN Flood Attack.
  • The resource section of the main file shows that the language pack used was Korean.
  • It then creates copies of itself named as “taskhost**.exe”
  • The Trojan registers itself as a Windows service by adding the following registry key:
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinsSchMgmt DisplayName “Windows Schedule Management Service”

  • The following interesting strings were observed in the dropped file:
    • cmd.exe /q /c net share shared$ /delete
    • cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone,FULL
    • cmd.exe /c wmic.exe /node:”%s” /user:”%s” /password:”%s” PROCESS CALL CREATE “%s” > %s
    • cmd.exe /c net stop MSExchangeIS /y
    • cmd.exe /c net stop termservice /y

  • The malware gets its name Wiper owing to its capabilities to wipe the hard drive of the infected system. The screenshot below is of one of our analysis systems after we infected it with Wiper:

Dell SonicWALL provides protection against these threats via the following signatures:

  • GAV: Wiper.SNP (Trojan)
  • GAV: Wiper.SN (Trojan)
  • GAV: Wiper.A (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.