Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.

Cyphort Labs Malware’s Most Wanted SeriesAttack on Sony Pictures

Destover

Most Wanted of 2014@belogor

Your speakers today

Nick Bilogorskiy@belogor

Director of Security Research

Shel SharmaProduct Marketing Director

Agenda

o Sony Destover trojan dissection

o Sony attack attribution

o Most wanted of 2014

o Wrap-up and Q&A

Cyp

ho

rt L

abs

T-sh

irt

Threat Monitoring & Research team

________

24X7 monitoring for malware events

________

Assist customers with their Forensics and Incident Response

We enhance malware detection accuracy

________

False positives/negatives________

Deep-dive research

We work with the security ecosystem

________

Contribute to and learn from malware KB

________

Best of 3rd Party threat data

Sony Pictures Attack by Destover Trojan

o Attack on Sony Pictures…Nov 24, 2014 by GOP - “Guardians of Peace”

o 111 Terabytes of Data Stolen

o Suspected Origin: North Korea

o 7 lawsuits filed against Sony, so far

o Controversy over “The Interview” which made $46 million to date

o Trojan designed for Sony’s network.

Attack Timeline for Sony Pictures, Nov – Dec 2014

Destovermalware discovered

Guardians of Peace claims credit, starts releasing stolen movies

Sony decides to release “The Interview” on Dec 25

Wiper activates

Nov 21 Nov 24 Nov 27 Dec 1 Dec 3 Dec 11 Dec 15 Dec 17 Dec 19 Dec 23

Sony receives email from ‘God’s Apstls”

FBI sends “flash alert”

GOP leaks Sony Exec emails

Sony hit with 1st

class-action lawsuit for failure to protect employee info

Sony cancels movie “The Interview”

FBI says hack done by North Korea

What was stolen and leaked?

In a word, everything!

Personal data on employees Movies and Scripts Performance reports and salary information Source code, Private keys, passwords, certificates Production schedules, Box office projections Executives email correspondence Brad Pitt phone number! and more..

Destover Workflow Diagram

8

ATTACKER

Spreads via SMB port 445Destover

Command

and Control

Servers

DropsWIPER

DROPPER-w Webserver -d Disk Driver

Drops

Disk Wiper

Wiper Command and Control

o This Trojan uses encrypted config file net_ver.dat embedded in the resource section that has several IP addresses later used for C&C communication

o Once connectivity is established with C2 servers, it initiates a two hour countdown at which time the infected machine will reboot

Net_ver.dat (Config File)

Wiper switches

The module can be executed with many parameters:

switch description

-i Install itself as a service

-k Remove the service

-d Start file wipe module

-s Mount and remote shares with hardcoded passwords and delete files from them

-m Drop Eldos Software RawDisk kernel driver to wipe MBR

-a Start anti-AV module

-w Drop and execute webserver to show the ransom message

-w Warning

• This switch drops a decrypted from resource section webserver.

• It runs on the infected machine with the only purpose of showing the user this ransom message.

-d switch

o usbdrv3.sys - Eldos Software RawDisk (a commercial product to enable raw access to the hard disk from Windows).

o After ten attempts to connect to one of the local systems, the process of wiping the hard drive began.

-d Delete

o sends string of “AAAAA”s in a loop to the Eldosdriver requesting it to write directly to the hard disk.

o It deletes all files in the system except the files with extension exe and dll

o The malware is also known to wipe out network drives

Who do you think is responsible?POLL #1 – Who was it

o A – North Korea

o B – Insiders

o C – Sony hacked itself

o D – China

o E – Russia

o F – None of the above

By GOP

The result of investigation by CNN is so excellent that you might have seen what we were doing with your own eyes.We congratulate you success.CNN is the BEST in the world.

You will find the gift for CNN at the following address.

https://www.youtube.com/watch?v=hiRacdl02w4

Enjoy!

P.S. You have 24 hours to give us the Wolf.

Dec 24: FBI: the GOP threaten USPER2 – NEWS ORGANIZATION

Dec 20: By GOP – CNN , give us the Wolf

Attribution is Hard…The GoP pastebin hoax

Dec 31:Homeland Security writer takes credit as a joke

Insiders?

o This Trojan uses stored user name and password combination to get access to the other machines.

How did attackers get them? They must have known the internal network, either from insiders or previous attacks.

Alternative Arguments? … Similarity to other APT attacks

o August 2012o Shamoon rendered up to 30,000 computers inoperable at

Saudi Aramco, the national oil company of Saudi Arabia.

o Credit claimed by Cutting Sword of Justice

o 2013o DarkSeoul, a hacking group with suspected links to North

Korea, performed a delayed wipe on 32,000 systems at South Korean banks and media companies

o Credit claimed by Whois

North Koreans?

o The resource section of the main file shows that the language pack used was Korean.

North Korea? Argument #1

FBI Bulletin, Dec 19

o Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.

o The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.

o Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

o Hackers used their true IP address

o Similar tools

o Malware analysis

North Korea? Argument #2

o Snowden docs show NSA first hacked North Korea in 2010 with help from SK

o “early warning radar” was implanted to monitor North Korea

o Fourth party collection

North Korea Bureau 121.

o Reconnaissance General Bureau, North Korea’s main intelligence service with 6,000 hackers

o Bureau 121, its secretive hacking unit, with a large outpost in China

o Hackers in Bureau 121 were among the 100 students who graduate from the University of Automation each year after five years of study. Over 2,500 apply for places at the university, which has a campus in Pyongyang, behind barbed wire.

North Korea Bureau 121.

Most Wanted of 2014

APT- Regina.k.a. Prax

Qwerty WARRIORPRIDE

APT DarkHotel

a.k.a. Luder / Karba / Tapaoux / Nemim

APT- Turlaa.k.a. Uroboros /

SnakeOrigin: Russian

POSBlackPOSVictim: Target

POSFramework

Victim: Home Depot

POSBackoff

Victims: Albertsons, Dairy Queen, …

NightHunterOrigin: Spain

CryptoLockerRansom ware

Accessory to Murder

ShellshockExploit

Heartbleed PoodleDestovera.k.a. Sony Trojan

APT: Regin

o Active since around 2008

o Victims: Belgacom, European Parliament

o Suspected Origin: NSA / GCHQ

o Multi-layer malware with 6 stages

o Extensible platform with custom pluginso Network traffic monitoring

o Key logging

o Credential capturingImage source: http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance

Known as Regin / Prax / Qwerty / WARRIORPRIDE

o Campaign started in 2007

o Targets executives through hotel networks

o Suspected Origin: South Korea

o Sandbox evasion & anti-virus detection

o Espionage & data exfiltration

o Components

o Kernel-mode keylogger

o Downloader

o Information Stealer

o Collects email and IM accounts, system info

Known as Luder / Karba / Tapaoux / Nemim

APT: DarkHotel

APT: TurlaKnown as Uroboros/Snake

o Active since around 2008

o Framework for Espionage against France and other NATO states

o Suspected Origin: Russia

o Uses direct spear-phishing e-mails and watering hole attacks to infect victims.

o Has a Linux rootkit component

Point of Sale (POS) Malware

BlackPOS• November 2013• 40 million cards stolen• $500 Million total

exposure to Target (Gartner)• Cards resold on Rescator forum

Backoff• Began in October 2013• Government warned retailers in July• Not targeted• Protected by run-time packer• Supports keylogging • communicates to a C&C, can update

itself• More than 1,000 victims

FrameworkPOS• April – Sep 2014• 56 Million cards leaked• Copy-cat attack, imitated BlackPOS• Cards resold on Rescator forum• Likely different actors

Exploits

Heartbleed• April 2014• CVE-2014-0160

• Exploits a flaw in the heartbeat step of TLS

• Buffer over-read• 39% of Internet users changed their

passwords, according to Pew• 500,000 vulnerable websites

POODLE• Found in September, 2014• CVE-2014-3566

• Google discovered flaw in SSL v3• Allows man-in-the-middle• Stands for “Padding Oracle On

Downgraded Legacy Encryption”• Not as bad as the other two

ShellShock• Found in September, 2014• CVE-2014-6271

• Bug in Bash shell allowed to execute arbitrary commands

• 1.5 million attacks per day according to CloudFlare.

• 500 million vulnerable machines!• Yahoo hacked on Oct 6 via this

o Discovered by Cyphort in March 2014, NightHunter is a major data exfiltration that went undetected for 5 years.

o Steals login credentials of users, Google, Facebook, Dropbox, Skype and other services

o Malware coded in .NET

o At least 1,800 infections

o Using SMTP and more than 3,000 unique keylogger binaries

o Ten different string obfuscation techniques

NightHunter

NightHunter

df

UserReceives a phishing

email with a DOC/ZIP attachment

Stage 1 –EXEDecrypts the DLL from a

resource section and loads it from memory

AttackerReceives stolen credentials in

the email server

Stage 2 – DLLRuns from EXE’s process memory and Sends out

credentials via SMTP

Cryptolocker

o Began September 2013

o Encrypts victim’s files, asks for $300 ransom

o Impossible to recover files without a key

o Ransom increases after deadline

o Goal is monetary via Bitcoin

o 250,000+ victims worldwide (According to Secureworks)

o Unforeseen Consequences

Cryptolocker Overview

z

Bitcoin Ransom Sent

C&C Server

Private Key Sent

Locked Files

Unlocked Files

POLL #2 – What was the “most wanted” attack of 2014?

o A – Sony Destover Trojan

o B – Cryptolocker

o C – Backoff POS Trojan

o D – NightHunter

o E – Shellshock exploit

o F – None of the above

Conclusions1. Sony attack was sophisticated , targeted and politically motivated

2. In Sony’s case - early compromise harvesting the user account credentials

lead to the later stage using malware designed with the credentials

embedded

3. Sony is the first significant breach where the data exposure is beyond

"consumer account and personal information", with direct theft of

corporate assets (movies & scripts), and with legal implication on corporate

obligation and contract

4. 2014 was an exceptional year for malware with successful malware breaches

at Target, Sony, JPMorgan and Home Depot to name a few

5. The best defense is an approach that continuously monitors network

activities and file movements, detects threat activities across threat kill

chain, and correlates observations across the enterprise network

Thank You!Twitter: @belogor

Previous MMW slides on

http://cyphort.com/labs/malwares-wanted/

References:http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation

http://blog.erratasec.com/2015/01/the-gop-pastebin-hoax.html

http://thehackernews.com/2015/01/police-ransomware-suicide.html

http://www.reuters.com/article/2014/03/07/us-russia-cyberespionage-insight-idUSBREA260YI20140307

http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html?_r=0

http://www.reuters.com/article/2014/03/07/us-russia-cyberespionage-insight-idUSBREA260YI20140307

http://thehackernews.com/2014/12/powerful-linux-trojan-turla.html

http://www.cyphort.com/latest-sony-pictures-breach-deadly-cyber-extortion/

http://www.darkreading.com/shellshock-bash-bug-impacts-basically-everything-exploits-appear-in-wild/d/d-id/1316064

http://www.pewinternet.org/2014/04/30/heartbleeds-impact/

http://www.bbc.com/news/technology-29361794

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25630/en_US/McAfee_Labs_Threat_Advisory_Trojan-Wiper.pdf

http://arstechnica.com/information-technology/2015/01/nsa-secretly-hijacked-existing-malware-to-spy-on-n-korea-others/

http://securelist.com/blog/research/67985/destover/

http://deadline.com/2014/12/is-the-chinese-armys-cyber-squad-behind-the-sony-attack-1201325918/