Techniques of Malware That Struck Sony Pictures Revealed

An independent security firm has revealed the sophisticated techniques of the infamous Destover malware, widely known as the Trojan that affected Sony Entertainment’s network and computers.

A new version of the Destover malware may be around according to security researchers at Damaballa, a private security company. The researchers were investigating a new possible strain of the malware when they discovered multiple utilities used by the Trojan malware to mask itself from detection.

As explained in a blog entry, Destover is infamous for the way in which the Trojan was used by hackers to steal confidential company data from Sony Pictures Entertainment. However, unlike most other malware, Destover isn’t coded by its authors for financial gain. It is predominantly written to inflict political and ideological damage.

Case in point, the recent Sony hack had the movie studio’s computers rendered unusable after the Trojan malware wiped out all data and files from the targeted computers. The researchers also noted another example of a Destover attack that saw the Al-Saud royal family targeted in a breach that saw multiple hard drives damaged. The breach was so destructive that hard drive prices actually went up in the immediate aftermath of the cyberattack.

Senior threat researchers Willis McDonald and Loucif Kharouni explain:

While researching a newer sample of Destover, we came across two files that were identified by one antivirus product at the time under a generic signature.

Although a lot of information has since been found following investigations into the breach, it was still unknown as to how the attackers stayed undetected within the company’s networks over a period of time before extracting terabytes of information.

The researchers added:

After analyzing further, we found two utilities closely related to Destover. Both utilities would be used during an attack to evade detection while moving laterally through a network to broaden the attack surface.

One of the tools, known as setMFT employes a ‘timestopping’ technique which changes the time stamp on a targeted file to trick the user. The technique is normally used when renaming a newly introduced file to have it blend in seamlessly to other files.

“This can conceal a file’s existence from security personnel looking for malicious files or scans of files created after a certain date,” the researchers wrote.