DHS Releases Destover Wiper Malware Indicators of Compromise
US-CERT released a not-so-cryptic advisory this weekend providing enterprises with indicators of compromise and detailed descriptions of the malware used against “a major entertainment company.” Also stated, “Due to the highly destructive functionality of this malware, an organization infected could experience operational impacts including loss of intellectual property and disruption of critical systems.”
DHS describes in great detail a worm capable of moving its way through Windows Server Message Block network shares, conducting brute-force password attacks against protected network shares before dropping five other components, including destructive disk-crushing wiper malware.
According to DHS, the worm acts as a dropper, leaving behind a listening implant, a lightweight backdoor, a proxy tool, a destructive hard drive tool, and a destructive target cleaning tool. According to US-CERT, the worm contains two threads, the first calls home and sends back log data while the second attempts to guess passwords on new Windows Server Message Block connections. The worm calls home every five minutes with log data, sending it to one of a handful of command and control servers, and seeks out other SMB shares over port 445. If the brute-force attack works, a file share is established and the malware components are dropped and run on the new host.
The “major entertainment company” Sony has been under siege since Nov. 24 when employees were greeted with a message on their workstations and threats from a hacker group calling themselves the Guardians of Peace. Since then, Sony has been subjected to numerous data leaks including unreleased movies and scripts made available online, to embarrassing email exchanges between executives, to the personal health care and contact information of employees released to Pastebin