Our previous blog entry discussed the “destructive” FBI security advisory and an analysis about the WIPALL malware family and its direct connection to the massive Sony Pictures hack. In this blog post, we will further discuss other WIPALL malware variants and their main routines that link to the #GOP warning seen in infected computers of Sony Pictures employees. Below is an overview of the infection chain to be discussed in this entry:
BKDR64_WIPALL.F Disables McAfee’s Services
The WIPALL variant BKDR_WIPALL.C shares the same coding as the previously discussed variant, BKDR_WIPALL.B. In the case of BKDR_WIPALL.C, the dropped copies are named as igfxtrays{2 random characters}.exe and executes several copies of itself with specific parameters (-a, -m, -d, -s), which contain its main routines.
Figure 1. Main malware routines of BKDR_WIPALL.C
It is a notable observation that BKDR_WIPALL.C checks if the infected system is 64-bit. If found to be running on a 64-bit system, the malware drops kph.sys (KProcessHacker driver) and its component ams.exe (detected as BKDR64_WIPALL.F).
We noticed that BKDR64_WIPALL.F replaces McAfee’s real-time scanner, mcshield.exe with another file located in its current directory, while the original mcshield.exe is placed in the system32 directory. In turn, when McAfee’s service executes, the replacement file will be executed instead of the legitimate real-time scanner component, effectively disabling the antivirus’ operation.
Figure 2. BKDR64_WIPALL.F obtains the Image Path of McShield.exe from the registry’s list of services: HKLM\CurrentControlSet\services\McShield
Figure 3. BKDR64_WIPALL.F moves the legitimate mcshield.exe to the System32 folder and replaces it with another mcshield.exe located in the malware’s current directory
BKDR64_WIPALL.F installs KprocessHacker as a driver service and uses it to terminate the following running processes related to McAfee’s antivirus application (also listed in the infection chain above). This is an added measure in order to ensure the malware’s smooth execution.
- mcshield.exe
- UdaterUI.exe
- McTray.exe
- shstat.exe
- FrameworkService.exe
- VsTskMgr.exe
- mfeann.exe
- naPrdMgr.exe
Based on our analysis, the malware BKDR64_WIPALL.F may have used a driver service because it has a higher privilege than a typical user-mode application. This is to ensure that the processes will be terminated.
Figure 4. BKDR64_WIPALL.F installs the KProcessHacker component (kph.sys) as a service driver
Figure 5. BKDR64_WIPALL.F checks all running processes with the hardcoded list of processes related to McAfee antivirus applications
Figure 6. It uses the KprocessHacker service driver as a device object to terminate the processes
Tracing Back to #GOP
This attack, along with the one we discussed in our previous blog entry, were both found to trace back to the hacker group named #GOP or “Guardians of Peace.”
The BKDR_WIPALL.A infection chain (via its component BKDR_WIPALL.E) leads to an HTML file displaying the message with the files back.jpg and index.wav. All of these are encrypted and embedded in the component iissvr.exe (detected as BKDR_WIPALL.E).
Similarly, the infection chain for BKDR_WIPALL.D (via its component BKDR_WIPALL.C) displays the #GOP message in an image file dropped as walls.bmp.
Figure 7: Top: walls.bmp dropped by BKDR_WIPALL.C;
Bottom: Scrolling message in an HTML file loaded by BKDR_WIPALL.E
There have been reports linking these attacks to North Korea as the culprit, and some claim that the Sony hack may have been an inside job. While nothing is confirmed at the moment, we advise users to exercise vigilance in their online to ensure private data stays that way.
Read our timeline of events related to the Sony hack in our page: The Hack of Sony Pictures: What We Know and What You Need to Know.
Analysis by Rhena Inocencio and Joie Salvio
Related hashes:
- D1C27EE7CE18675974EDF42D4EEA25C6 as BKDR_WIPALL.A
- 760C35A80D758F032D02CF4DB12D3E55 as BKDR_WIPALL.B
- E1864A55D5CCB76AF4BF7A0AE16279BA as BKDR_WIPALL.E
- B80AA583591EAF758FD95AB4EA7AFE39 as BKDR_WIPALL.C
- 2618dd3e5c59ca851f03df12c0cab3b8 as BKDR_WIPALL.D
- 7E5FEE143FB44FDB0D24A1D32B2BD4BB as BKDR64_WIPALL.F
Our coverage of the Sony attack continues as we spot more developments. Here is a list of our stories related to this incident:
- An Analysis of the “Destructive” Malware Behind FBI Warnings – analysis of the “destructive” malware described in reports about the Federal Bureau of Investigation (FBI) warning to U.S. businesses
- WIPALL Malware Leads to #GOP Warning in Sony Hack – this entry discusses other WIPALL malware variants and their main routines that link to the #GOP warning seen in infected computers of Sony Pictures employees
- The Hack of Sony Pictures: What We Know and What You Need to Know – timeline of the Sony Pictures hack
- Sony Pictures Corporate Network Hit by Major Attack: Why You Need to Stay Ahead of Targeted Attacks – discussion on responses to targeted attacks
