1. The document discusses a presentation given by Cyphort Labs on major malware attacks and threats of 2014, including the Sony Pictures attack carried out by the Destover trojan. 2. The Sony attack was a sophisticated, targeted attack that stole over 100 terabytes of data including unreleased movies and employee information. 3. Analysis showed links between the Destover malware and previous North Korean developed malware, indicating North Korean involvement in the Sony attack. 4. Other notable threats and attacks in 2014 included Cryptolocker ransomware, Shellshock and Heartbleed exploits, and POS malware like BlackPOS and Backoff targeting retailers.

1. Cyphort Labs Malware’s Most Wanted Series
Attack on Sony Pictures
Destover
Most Wanted of 2014
@belogor

2. Your speakers today
Nick Bilogorskiy
@belogor
Director of Security Research
Shel Sharma
Product Marketing Director

3. Agenda
o Sony Destover trojan dissection
o Sony attack attribution
o Most wanted of 2014
o Wrap-up and Q&A
CyphortLabsT-shirt

4. Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data

5. Sony Pictures Attack by Destover Trojan
o Attack on Sony Pictures…Nov 24, 2014 by GOP - “Guardians of Peace”
o 111 Terabytes of Data Stolen
o Suspected Origin: North Korea
o 7 lawsuits filed against Sony, so far
o Controversy over “The Interview”
which made $46 million to date
o Trojan designed for Sony’s network.

6. Attack Timeline for Sony Pictures, Nov – Dec 2014
Destover
malware
discovered
Guardians of
Peace claims
credit, starts
releasing stolen
movies
Sony decides to release
“The Interview” on Dec
25
Wiper activates
Nov 21 Nov 24 Nov 27 Dec 1 Dec 3 Dec 11 Dec 15 Dec 17 Dec 19 Dec 23
Sony receives
email from
‘God’s Apstls”
FBI sends
“flash alert”
GOP leaks
Sony Exec
emails
Sony hit with 1st
class-action
lawsuit for failure
to protect
employee info
Sony cancels movie
“The Interview”
FBI says hack
done by North
Korea

7. What was stolen and leaked?
In a word, everything!
 Personal data on employees
 Movies and Scripts
 Performance reports and salary information
 Source code, Private keys, passwords, certificates
 Production schedules, Box office projections
 Executives email correspondence
 Brad Pitt phone number! and more..

8. Destover Workflow Diagram
8
ATTACKER
Spreads via SMB port 445Destover
Command
and Control
Servers
Drops
WIPER
DROPPER
-w Webserver -d Disk Driver
Drops
Disk Wiper

9. Wiper Command and Control
o This Trojan uses encrypted config file
net_ver.dat embedded in the resource
section that has several IP addresses later
used for C&C communication
o Once connectivity is established with C2
servers, it initiates a two hour countdown at
which time the infected machine will reboot
Net_ver.dat (Config File)

10. Wiper switches
The module can be executed with many parameters:
switch description
-i Install itself as a service
-k Remove the service
-d Start file wipe module
-s Mount and remote shares with hardcoded passwords and delete
files from them
-m Drop Eldos Software RawDisk kernel driver to wipe MBR
-a Start anti-AV module
-w Drop and execute webserver to show the ransom message

11. -w Warning
• This switch drops a decrypted
from resource section
webserver.
• It runs on the infected
machine with the only
purpose of showing the user
this ransom message.

12. -d switch
o usbdrv3.sys - Eldos Software RawDisk (a commercial product to
enable raw access to the hard disk from Windows).
o After ten attempts to connect to one of the local systems, the
process of wiping the hard drive began.

13. -d Delete
o sends string of “AAAAA”s
in a loop to the Eldos
driver requesting it to
write directly to the hard
disk.
o It deletes all files in the
system except the files
with extension exe and dll
o The malware is also
known to wipe out
network drives

14. Who do you think is responsible?
POLL #1 – Who was it
o A – North Korea
o B – Insiders
o C – Sony hacked itself
o D – China
o E – Russia
o F – None of the above

15. By GOP
The result of investigation by
CNN is so excellent that you
might have seen what we were
doing with your own eyes.
We congratulate you success.
CNN is the BEST in the world.
You will find the gift for CNN at
the following address.
https://www.youtube.com/watc
h?v=hiRacdl02w4
Enjoy!
P.S. You have 24 hours to give us
the Wolf.
Dec 24:
FBI: the GOP threaten USPER2 – NEWS ORGANIZATION
Dec 20:
By GOP – CNN , give us the Wolf
Attribution is Hard…The GoP pastebin hoax
Dec 31:
Homeland Security writer takes credit as a joke

16. Insiders?
o This Trojan uses stored user name and password
combination to get access to the other machines.
How did attackers get them? They must have known the
internal network, either from insiders or previous attacks.

17. Alternative Arguments? … Similarity to other APT attacks
o August 2012
o Shamoon rendered up to 30,000 computers inoperable at
Saudi Aramco, the national oil company of Saudi Arabia.
o Credit claimed by Cutting Sword of Justice
o 2013
o DarkSeoul, a hacking group with suspected links to North
Korea, performed a delayed wipe on 32,000 systems at South
Korean banks and media companies
o Credit claimed by Whois

18. North Koreans?
o The resource section of the main file shows that the
language pack used was Korean.

19. North Korea? Argument #1
FBI Bulletin, Dec 19
o Technical analysis of the data deletion malware used in this attack revealed
links to other malware that the FBI knows North Korean actors previously
developed. For example, there were similarities in specific lines of code,
encryption algorithms, data deletion methods, and compromised networks.
o The FBI also observed significant overlap between the infrastructure used in
this attack and other malicious cyber activity the U.S. government has
previously linked directly to North Korea. For example, the FBI discovered
that several Internet protocol (IP) addresses associated with known North
Korean infrastructure communicated with IP addresses that were hardcoded
into the data deletion malware used in this attack.
o Separately, the tools used in the SPE attack have similarities to a cyber attack
in March of last year against South Korean banks and media outlets, which
was carried out by North Korea.
o Hackers used their true IP address
o Similar tools
o Malware analysis

20. North Korea? Argument #2
o Snowden docs show NSA first hacked North Korea in 2010 with help from SK
o “early warning radar” was implanted to monitor North Korea
o Fourth party collection

21. North Korea Bureau 121.
o Reconnaissance General Bureau,
North Korea’s main intelligence service
with 6,000 hackers
o Bureau 121, its secretive hacking unit, with a large outpost in
China
o Hackers in Bureau 121 were among the 100 students who
graduate from the University of Automation each year after
five years of study. Over 2,500 apply for places at the
university, which has a campus in Pyongyang, behind barbed
wire.

22. North Korea Bureau 121.

23. Most Wanted of 2014
APT- Regin
a.k.a. Prax
Qwerty
WARRIORPRIDE
APT
DarkHotel
a.k.a. Luder / Karba /
Tapaoux / Nemim
APT- Turla
a.k.a. Uroboros /
Snake
Origin: Russian
POS
BlackPOS
Victim: Target
POS
Framework
Victim:
Home Depot
POS
Backoff
Victims: Albertsons,
Dairy Queen, …
NightHunter
Origin: Spain
CryptoLocker
Ransom ware
Accessory to Murder
Shellshock
Exploit
Heartbleed PoodleDestover
a.k.a. Sony Trojan

24. APT: Regin
o Active since around 2008
o Victims: Belgacom, European Parliament
o Suspected Origin: NSA / GCHQ
o Multi-layer malware with 6 stages
o Extensible platform with custom plugins
o Network traffic monitoring
o Key logging
o Credential capturing
Image source: http://www.symantec.com/connect/blogs/
regin-top-tier-espionage-tool-enables-stealthy-surveillance
Known as Regin / Prax / Qwerty / WARRIORPRIDE

25. o Campaign started in 2007
o Targets executives through hotel networks
o Suspected Origin: South Korea
o Sandbox evasion & anti-virus detection
o Espionage & data exfiltration
o Components
o Kernel-mode keylogger
o Downloader
o Information Stealer
o Collects email and IM accounts, system info
Known as Luder / Karba / Tapaoux / Nemim
APT: DarkHotel

26. APT: Turla
Known as Uroboros/Snake
o Active since around 2008
o Framework for Espionage against France and
other NATO states
o Suspected Origin: Russia
o Uses direct spear-phishing e-mails and
watering hole attacks to infect victims.
o Has a Linux rootkit component

27. Point of Sale (POS) Malware
BlackPOS
• November 2013
• 40 million cards stolen
• $500 Million total
exposure to Target (Gartner)
• Cards resold on Rescator forum
Backoff
• Began in October 2013
• Government warned retailers in July
• Not targeted
• Protected by run-time packer
• Supports keylogging
• communicates to a C&C, can update
itself
• More than 1,000 victims
FrameworkPOS
• April – Sep 2014
• 56 Million cards leaked
• Copy-cat attack, imitated BlackPOS
• Cards resold on Rescator forum
• Likely different actors

28. Exploits
Heartbleed
• April 2014
• CVE-2014-0160
• Exploits a flaw in the heartbeat step
of TLS
• Buffer over-read
• 39% of Internet users changed their
passwords, according to Pew
• 500,000 vulnerable websites
POODLE
• Found in September, 2014
• CVE-2014-3566
• Google discovered flaw in SSL v3
• Allows man-in-the-middle
• Stands for “Padding Oracle On
Downgraded Legacy Encryption”
• Not as bad as the other two
ShellShock
• Found in September, 2014
• CVE-2014-6271
• Bug in Bash shell allowed to
execute arbitrary commands
• 1.5 million attacks per day
according to CloudFlare.
• 500 million vulnerable machines!
• Yahoo hacked on Oct 6 via this

29. o Discovered by Cyphort in March 2014,
NightHunter is a major data exfiltration that went
undetected for 5 years.
o Steals login credentials of users, Google, Facebook,
Dropbox, Skype and other services
o Malware coded in .NET
o At least 1,800 infections
o Using SMTP and more than 3,000 unique
keylogger binaries
o Ten different string obfuscation techniques
NightHunter

30. NightHunter
df
User
Receives a phishing
email with a DOC/ZIP
attachment
Stage 1 –EXE
Decrypts the DLL from a
resource section and
loads it from memory
Attacker
Receives stolen credentials in
the email server
Stage 2 – DLL
Runs from EXE’s process
memory and Sends out
credentials via SMTP

31. Cryptolocker
o Began September 2013
o Encrypts victim’s files, asks for $300 ransom
o Impossible to recover files without a key
o Ransom increases after deadline
o Goal is monetary via Bitcoin
o 250,000+ victims worldwide
(According to Secureworks)
o Unforeseen Consequences

32. Cryptolocker Overview
z
Bitcoin Ransom Sent
C&C
Server
Private Key Sent
Locked Files
Unlocked Files

33. POLL #2 – What was the “most wanted” attack of 2014?
o A – Sony Destover Trojan
o B – Cryptolocker
o C – Backoff POS Trojan
o D – NightHunter
o E – Shellshock exploit
o F – None of the above

34. Conclusions
1. Sony attack was sophisticated , targeted and politically motivated
2. In Sony’s case - early compromise harvesting the user account credentials
lead to the later stage using malware designed with the credentials
embedded
3. Sony is the first significant breach where the data exposure is beyond
"consumer account and personal information", with direct theft of
corporate assets (movies & scripts), and with legal implication on corporate
obligation and contract
4. 2014 was an exceptional year for malware with successful malware breaches
at Target, Sony, JPMorgan and Home Depot to name a few
5. The best defense is an approach that continuously monitors network
activities and file movements, detects threat activities across threat kill
chain, and correlates observations across the enterprise network

35. Thank You!
Twitter: @belogor
Previous MMW slides on
http://cyphort.com/labs/
malwares-wanted/

37. References:
http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation
http://blog.erratasec.com/2015/01/the-gop-pastebin-hoax.html
http://thehackernews.com/2015/01/police-ransomware-suicide.html
http://www.reuters.com/article/2014/03/07/us-russia-cyberespionage-insight-idUSBREA260YI20140307
http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-
say.html?_r=0
http://www.reuters.com/article/2014/03/07/us-russia-cyberespionage-insight-idUSBREA260YI20140307
http://thehackernews.com/2014/12/powerful-linux-trojan-turla.html
http://www.cyphort.com/latest-sony-pictures-breach-deadly-cyber-extortion/
http://www.darkreading.com/shellshock-bash-bug-impacts-basically-everything-exploits-appear-in-wild/d/d-id/1316064
http://www.pewinternet.org/2014/04/30/heartbleeds-impact/
http://www.bbc.com/news/technology-29361794
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25630/en_US/Mc
Afee_Labs_Threat_Advisory_Trojan-Wiper.pdf
http://arstechnica.com/information-technology/2015/01/nsa-secretly-hijacked-existing-malware-to-spy-on-n-korea-
others/
http://securelist.com/blog/research/67985/destover/
http://deadline.com/2014/12/is-the-chinese-armys-cyber-squad-behind-the-sony-attack-1201325918/