An Analysis of the Sony Breach

As we all know by now, Sony Pictures Entertainment got hacked. The situation soon escalated and took a political turn indicating a state sponsored attack. Attackers stole dozens of terabytes of data amounting to massive leakage of data.

They used services like Pastebin, Mega, Rapidgator, Turbobit, etc. where they uploaded the following sensitive information

–       Unreleased movies
–       Script of an upcoming movie
–       Employees’ and their dependents’ personal information
–       Account credentials
–       Executive Salaries
–       UPS accounts
–       Email leaks
–       Aliases, phone numbers used by celebrities while traveling

DHS released the IOCs related to this attack while indirectly indicating that the attacks were targeting the Entertainment Industry. The malware used by the threat actors is very destructive and designed to carry out various malicious tasks like,

–       Lateral movement which is achieved via password bruteforcing
–       Overwrite attached physical drives and make them irrecoverable
–       Master Boot Record overwrite
–       Network Propagation
–       Command and Control Activity
–       Data Exfiltration

Lets take a look at some of the characteristics of the malware samples.

Dropper Analysis

When run with a –i parameter, WinsSchMgmt service is created

destover1

With a –k parameter, StartServiceCtrlDispatcher is invoked to have same service WinsSchMgmt to be run in the calling process

destover2

With a –s parameter, we can see how the C2 Addresses are being utilized

destover3

Following are some of the interesting strings seen present in the sample that indicate remote share access and remote process creation.

destover4

Here is a sample run with –i parameter. We can observe file, igfxtrayex.exe being created and run. The sample also writes a file called net_ver.dat which contain records of the form hostname, ipaddress and number 2.

destover5

Next, lets look at igfxtrayex.exe.

igfxtrayex Analysis

Similar to its dropper, this sample, takes –i and –k parameters but this time uses the service name brmgmtsvc.

destover6

The execution sequence then calls the same set of ip addresses as called by the dropper previously and then drops files named as taskhostXX.exe. Respective processes are created with –w, -m, -d command line parameters.

destover7

-w option stops Terminal Service and drops a file, iissvr.exe which when ran, starts the Webserver

destover8

-m option creates a driver file called usbdrv.sys and then installs it as a USB 3.0 Host Controller. It ultimately wipes off the Master Boot Record and thus leaving the disk unusable.

destover9

-d option calls a recursive function to delete files

destover10

Our recommendations:

  1. do make sure standard security practices are being followed
  2. monitor your systems and network to find the presence of IOCs
  3. periodically change passwords and have regular backups of critical infrastructure

Overall, a behavior-based approach is key to catching unprecedented attacks as there are no visible, known signs while the attack is happening.