Sony Pictures appeared to have been targeted by a destructive Trojan
Sony Corp has been in the news again for being the victim of a major attack that led to a number of Sony films to be leaked onto file-sharing sites. A group calling themselves Guardians of Peace (GOP) has taken the responsibility for these attacks. If few media sources are to be believed, the motive for this attack seems rather outlandish. Some believe that this attack is a retaliation against Sony Picture's upcoming movie The Interview which revolves around a CIA plot to kill the North Korean leader Kim Jong-Un. Shortly after this attack the Federal Bureau of Investigation issued a flash warning message to U.S. businesses indicating presence of a destructive threat.
Dell SonicWALL Threats Research team has obtained variants of samples described. The analysis is below.
- It drops the following files that have been associated with the attack:
- igfxtrayex.exe [Detected as GAV: Wiper.A (Trojan)]
- Net_ver.dat appears to be a list of IP addresses of its target victim.
- It establishes connection to multiple IPs as listed in the net_ver.dat file and thereby attempts to perform a SYN Flood Attack.
- The resource section of the main file shows that the language pack used was Korean.
- It then creates copies of itself named as "taskhost**.exe"
- The Trojan registers itself as a Windows service by adding the following registry key:
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinsSchMgmt DisplayName "Windows Schedule Management Service"
- The following interesting strings were observed in the dropped file:
- cmd.exe /q /c net share shared$ /delete
- cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone,FULL
- cmd.exe /c wmic.exe /node:"%s" /user:"%s" /password:"%s" PROCESS CALL CREATE "%s" > %s
- cmd.exe /c net stop MSExchangeIS /y
- cmd.exe /c net stop termservice /y
- The malware gets its name Wiper owing to its capabilities to wipe the hard drive of the infected system. The screenshot below is of one of our analysis systems after we infected it with Wiper:
Dell SonicWALL provides protection against these threats via the following signatures:
- GAV: Wiper.SNP (Trojan)
- GAV: Wiper.SN (Trojan)
- GAV: Wiper.A (Trojan)