Sony/Destover: mystery North Korean actor’s destructive and past network activity

This week, for the first time, the FBI issued a Flash warning about a destructive wiper activity, used in the attack on Sony Pictures Entertainment. Samples of this Destover malware contained configuration files created on systems using Korean language packs.

Since the attack, further information about the malware has surfaced in one form or another, but some details, such as those relating to the previous activity of the prime suspects, are still to be examined.

So, while Sony Pictures silently completes its costly clean-up efforts and prepares to release “The Interview”, let’s discuss some of the malware functionality, glaring similarities with other wiper events, and some of the suspect group’s previous activity.

The first thing to note is that destructive activity targeting the networks of large organizations is clearly becoming more commonplace. Previous major wiper malware is discussed here.  For these, most of the related events occurred in the Middle East and the Korean Peninsula. We also noted a separate Eastern European BE2 ICS environment-related wiping event, covered in more detail here. And it’s hard to ignore the complete customer data wipe of Code Spaces in Great Britain by a cybercriminal holding them for ransom, as reported here.

The malware involved in the Sony Entertainment attack is called Trojan Destover and is capable of wiping disk drives and MBR.

Destover Wiper Functionality

The most interesting aspects of the destructive functionality of the malware are related to the selection and storage/delivery of the drivers that are now used repeatedly in these kinds of sabotage attacks.

The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself. There are implications for data recovery in this. In the case of the DarkSeoul malware, the overwritten data could be restored using a method similar to the restoration of the Shamoon ‘destroyed’ data. Destover data recovery is likely to be the same.

The chain of intermediary components leading to the destructive payload follows multiple stages (which have previously been described elsewhere), with capabilities set to run in several modes, just like Shamoon:

1. The sample is run on a 32-bit OS for the first time.
2. The sample is run on a 32-bit OS as a self-installed service, with one of several code paths.
3. The sample is run on a 64-bit OS as a self-installed service.

On a first run, it creates the ‘Backup and Restore Management’ Windows brmgmtsvc service, adds its own executable and sets a startup ‘-i‘ switch. It also drops several copies of itself and starts each of them with a different switch: -m, -d, and -w.

-m (mbr overwrite):
This attempts to connect with the three IP addresses.  Even if this is unsuccessful, process execution takes place.
It fetches its resource that contains the compressed EldoS RawDisk driver, and writes it out to the temp directory as a ‘usbdrv3.sys’.
It then installs the driver as the usbdrv3 service ‘USB 3.0 Host Controller’.
After this, it starts the driver service and closes its service handle.
It then creates a filehandle to the driver with write permissions:
‘\\?\ElRawDisk\??\\PhysicalDrive0#99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C78585B692047273B0E55275102C664C5217E76B8E67F35FCE385E4328EE1AD139EA6AA26345C4F93000DBBC7EF1579D4F’
and writes to that handle with 64k strings of ‘0xAAAAAAAA’. ← note that the issue of a  lengthy license key (#99E2428…) is discussed in our Shamoon The Wiper – part ii blogpost.
It then creates new threads, each of which attempts to connect to any possible physical drive letter and overwrite them as well.

-d (data overwrite):
This attempts to connect with the same three IP addresses. Again, process execution takes place regardless of communications.
It gets the logical drives and traverses recursively through them, identifying all data files. If it is not .exe or .dll, the process overwrites file contents with ‘0x0df0adba’ in a 20k chunk. This overwrite is completed from user mode, without the EldoS drivers.
It then attempts to delete the data file using the win32 api ‘DeleteFileW’. As it recurses through all the system’s directories, it attempts to delete .exe and .dll files.

-w (web server):
This attempts to connect with the same three IP addresses. Again, process execution takes place regardless of communications.
It stops the Windows Terminal Services from the cmd line: ‘cmd.exe /c net stop termservice /y’
Then finds resource#85, decompresses and writes contents out to ‘c:\windows\iissvr.exe‘.
It launches the iissvr.exe process and exits.
iissvr is what it seems to be – a web server that maintains an encoded JPG, HTML and WAV file. It listens on Port 80 and serves these files. The full graphic and scrolling green warning can be found later in the article. The decoded jpg here:

Lastly, after a two hour sleep, the original service restarts the machine with a call to ExitWindowsEx(EWX_REBOOT|EWX_FORCE, 0).   This forces an exit but delays the shutdown itself while system state file creation occurs.

Commonalities Across Wipers

Just like Shamoon, the Destover wiper drivers are commercially available EldoS RawDisk driver files.

Just like Shamoon, the Destover wiper drivers are maintained in the droppers’ resource section.

Just like Shamoon, the DarkSeoul wiper event included vague, encoded psuedo-political messages used to overwrite disk data and the master boot record (MBR).

Just like DarkSeoul, the Destover wiper executables were compiled somewhere between 48 hours prior to the attack and the actual day of attack. It is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack.

The Shamoon components were compiled in a similarly tight timeframe prior to their deployment. The CompiledOn timestamps all fall within five days of their executables’ detonation. Nearly all were compiled on Aug 10, 2012 (between 00:17:23 and 02:46:22) and set to detonate on Aug 15, 2012. That is a tight window to quietly deploy these binaries considering the fact that tens of thousands of machines were destroyed with this payload.

In all three cases: Shamoon, DarkSeoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own.  All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.

Images from the DarkSeoul ‘Whois’ and Destover ‘GOP’ groups included a ‘Hacked by’ claim, accompanied by a “warning” and threats regarding stolen data.  Both threatened that this was only the beginning and that the group will be back. It appears that original skeletal artwork was also included in both.

Whois team graphics and warning:

GOP team graphics and warning:

Differences between the Destover and DarkSeoul Wiper attacks include Destover’s lack of *nix scripts to erase partitions across Linux systems.

The above list of commonalities does not, of course, prove that the crew behind Shamoon is the same as the crew behind both DarkSeoul and Destover. But it should be noted that the reactionary events and the groups’ operational and toolset characteristics all carry marked similarities. And, it is extraordinary that such unusual and focused acts of large scale cyber-destruction are being carried out with clearly recognizable similarities.

Network activity

Related beacon destinations were published as:

• 88.53.215.64
• 217.96.33.164
• 203.131.222.102

However, directly related samples perform callbacks to a number of other IP addresses as well. Kaspersky Security Network (KSN) data presents a complete lack of malware being served from any of these addresses in the past:

• 58.185.154.99
• 200.87.126.116
• 208.105.226.235
• 212.31.102.100

The connections appear arbitrary and inconsequential to the execution of the malicious package. Some are not currently active. These IPs all appear to be oddly selected.

Some of these addresses are known to have performed RDP Scans in the recent past. In late 2012, 217.96.33.164 was a known RDP brute forcing network scanner. The server is hosted at an IP address in Poland, maintained at that provider since 1996.

In early 2014, 88.53.215.64 was hosted in Italy and served as a ‘Hide My Ass’ premium and free proxy server over port 443. The malware attempts to connect to that server on ports 8000 and 8080, and currently no resources are available.

200.87.126.116 also previously served as a free SOCKS proxy in 2011 and 2012. Often, these sorts of resources were misused by spammers and blackhat SEO scammers.

Previous Backdoors

The DarkSeoul campaigns have been linked to several families of Trojans and backdoors, all used over the course of several years. Some links are much stronger than others:

• Concealment Troy
• DarkSeoul
• HttpDr0pper
• HttpTroy
• TDrop

Destover MD5s

Trojans:

Eldos Drivers:

6aeac618e29980b69721158044c2e544 (32-bit), signed by the EldoS Corporation
86e212b7fc20fc406c692400294073ff (64-bit), signed by the EldoS Corporation

Certificate (6aeac618e29980b69721158044c2e544 32-bit and
86e212b7fc20fc406c692400294073ff 64-bit):

Previous and Parallel Research References

• Exclusive: FBI warns of ‘destructive’ malware in wake of Sony attack
• Dissecting Operation Troy: Cyberespionage in South Korea, McAfee, 2013 (PDF)
• Darkseoul/Jokra Analysis And Recovery, Fidelis Cybersecurity, 2013 (PDF)
• Analyzing Unknown Malware
• DarkSeoul – Jokra – MBR wiper samples
• Shamoon The Wiper: Further Details (Part II)