New Toolset Linked to Wiper Malware in Sony Hack, Finds Researchers
According to “tripwire”, researchers have discovered two new utilities that are closely associated with the wiper malware used to disrupt the computer networks of Sony Pictures Entertainment last year.
After phishing for employees’ login information, the attackers responsible for the breach used a strain of wiper malware known as “Destover” to wipe the files off of company workstations, thus rendering them inoperable.
Last week, however, Willis McDonald and Loucif Kharouni, senior threat researchers with advanced threat protection firm Damballa, published a blog post in which they explain two tools that the attackers used to evade detection in Sony’s networks. Both utilities had usage statements, and they were called setMFT and afset.
Timestomping is a technique that when combined with similarly named files allows a file to blend into a directory. A forensic investigation into files’ record dates and possibly log files could reveal that a particular file has been timestomped.
McDonald and Kharouni also note that the setMFT tool interacts with the attacker on the command line and is neither delivered nor executed by a dropper without interaction. The other utility, afset, is another timestomping tool that can clean Microsoft Windows logs.
Together, setMFT and afset enable a malicious attacker to breach a network, disable defenses, and hide their tracks. Given the fact that only one anti-virus solution successfully detected the tools, attackers employing these utilities could remain undetected for a considerable length of time.