• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   WIPALL Malware Leads to #GOP Warning in Sony Hack

WIPALL Malware Leads to #GOP Warning in Sony Hack

  • Posted on:December 5, 2014 at 4:47 pm
  • Posted in:Bad Sites, Malware
  • Author:
    Trend Micro
1

Our previous blog entry discussed the “destructive” FBI security advisory and an analysis about the WIPALL malware family and its direct connection to the massive Sony Pictures hack. In this blog post, we will further discuss other WIPALL malware variants and their main routines that link to the #GOP warning seen in infected computers of Sony Pictures employees. Below is an overview of the infection chain to be discussed in this entry:

BKDR64_WIPALL.F Disables McAfee’s Services

The WIPALL variant BKDR_WIPALL.C shares the same coding as the previously discussed variant, BKDR_WIPALL.B. In the case of BKDR_WIPALL.C, the dropped copies are named as igfxtrays{2 random characters}.exe and executes several copies of itself with specific parameters (-a, -m, -d, -s), which contain its main routines.

Figure 1. Main malware routines of BKDR_WIPALL.C

It is a notable observation that BKDR_WIPALL.C checks if the infected system is 64-bit. If found to be running on a 64-bit system, the malware drops kph.sys (KProcessHacker driver) and its component ams.exe (detected as BKDR64_WIPALL.F).

We noticed that BKDR64_WIPALL.F replaces McAfee’s real-time scanner, mcshield.exe with another file located in its current directory, while the original mcshield.exe is placed in the system32 directory. In turn, when McAfee’s service executes, the replacement file will be executed instead of the legitimate real-time scanner component, effectively disabling the antivirus’ operation.

Figure 2. BKDR64_WIPALL.F obtains the Image Path of McShield.exe from the registry’s list of services: HKLM\CurrentControlSet\services\McShield

Figure 3. BKDR64_WIPALL.F moves the legitimate mcshield.exe to the System32 folder and replaces it with another mcshield.exe located in the malware’s current directory

BKDR64_WIPALL.F installs KprocessHacker as a driver service and uses it to terminate the following running processes related to McAfee’s antivirus application (also listed in the infection chain above). This is an added measure in order to ensure the malware’s smooth execution.

  • mcshield.exe
  • UdaterUI.exe
  • McTray.exe
  • shstat.exe
  • FrameworkService.exe
  • VsTskMgr.exe
  • mfeann.exe
  • naPrdMgr.exe

Based on our analysis, the malware BKDR64_WIPALL.F may have used a driver service because it has a higher privilege than a typical user-mode application. This is to ensure that the processes will be terminated.

Figure 4. BKDR64_WIPALL.F installs the KProcessHacker component (kph.sys) as a service driver

Figure 5. BKDR64_WIPALL.F checks all running processes with the hardcoded list of processes related to McAfee antivirus applications

Figure 6. It uses the KprocessHacker service driver as a device object to terminate the processes

Tracing Back to #GOP

This attack, along with the one we discussed in our previous blog entry, were both found to trace back to the hacker group named #GOP or “Guardians of Peace.”

The BKDR_WIPALL.A infection chain (via its component BKDR_WIPALL.E)  leads to an HTML file displaying the message with the files back.jpg and index.wav. All of these are encrypted and embedded in the component iissvr.exe (detected as BKDR_WIPALL.E).

Similarly, the infection chain for BKDR_WIPALL.D (via its component BKDR_WIPALL.C)  displays the #GOP message in an image file dropped as walls.bmp.

Figure 7: Top: walls.bmp dropped by BKDR_WIPALL.C;
Bottom: Scrolling message in an HTML file loaded by BKDR_WIPALL.E

There have been reports linking these attacks to North Korea as the culprit, and some claim that the Sony hack may have been an inside job. While nothing is confirmed at the moment, we advise users to exercise vigilance in their online to ensure private data stays that way.

Read our timeline of events related to the Sony hack in our page: The Hack of Sony Pictures: What We Know and What You Need to Know.

Analysis by Rhena Inocencio and Joie Salvio

Related hashes:

  • D1C27EE7CE18675974EDF42D4EEA25C6 as BKDR_WIPALL.A
  • 760C35A80D758F032D02CF4DB12D3E55 as BKDR_WIPALL.B
  • E1864A55D5CCB76AF4BF7A0AE16279BA as BKDR_WIPALL.E
  • B80AA583591EAF758FD95AB4EA7AFE39 as BKDR_WIPALL.C
  • 2618dd3e5c59ca851f03df12c0cab3b8 as BKDR_WIPALL.D
  • 7E5FEE143FB44FDB0D24A1D32B2BD4BB as BKDR64_WIPALL.F

 

Our coverage of the Sony attack continues as we spot more developments. Here is a list of our stories related to this incident:

  • An Analysis of the “Destructive” Malware Behind FBI Warnings – analysis of the “destructive” malware described in reports about the Federal Bureau of Investigation (FBI) warning to U.S. businesses
  • WIPALL Malware Leads to #GOP Warning in Sony Hack – this entry discusses other WIPALL malware variants and their main routines that link to the #GOP warning seen in infected computers of Sony Pictures employees
  • The Hack of Sony Pictures: What We Know and What You Need to Know – timeline of the Sony Pictures hack
  • Sony Pictures Corporate Network Hit by Major Attack: Why You Need to Stay Ahead of Targeted Attacks – discussion on responses to targeted attacks
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: GOPSonysony hacksony pictureswipall

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.