FBI: Destructive Malware Used Korean Language Packs

In a first, the F.B.I has issued a warning to U.S. businesses to be on the lookout for destructive malware that was used in an attack last week on Sony Pictures Entertainment.

The FBI issued a five-page “FLASH” warning to security professionals at U.S. companies to warn them of the new malware. A copy of the warning viewed by The Security Ledger revealed that the malware deployed a number of malicious modules, including a version of a commercial disk wiping tool on target systems. Samples of the malware obtained by the FBI contained configuration files created on systems using Korean language packs.

The FBI FLASH alert described destructive malware created using systems running Korean language packs.
The FBI FLASH alert described destructive malware created using systems running Korean language packs.

The use of Korean could suggest a link to North Korea, though it is hardly conclusive. It does appear that the attack was targeted at a specific organization. The malware analyzed by the FBI contained a hard coded list of IP addresses and computer host names. Media reports have linked the malware to the destructive attack on Sony Pictures Entertainment, though the FBI FLASH alert does not name Sony or any other organization. A group calling itself #GOP – for Guardians of Peace – took responsibility for that attack last week.

“This malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods,” the FBI warned. “The FBI has high confidence that these indicators are being used by CNE (computer network exploitation) operators for further network exploitation. The FBI recommends that your organization help victims identify and remove the malicious code,” the alert reads.

The FBI was not able to respond to a request for comment prior to publication. The alert provided “indicators of compromise” including file names and IP addresses that the malware “beacons” to for instructions.  However, the FBI warned that malware that has advanced to the “beaconing” stage had already commenced the destructive disk wiping, making detection at that stage of little value.

FLASH warnings, which refer to the FBI Liaison Alert System, are designed to inform the business community and others about “threats to the national security.” This is the first known FLASH warning concerning a destructive malware attack against a U.S. company.

The alert describes a highly destructive attack that relied on downloader and dropper files which install a serious of malicious tools. At the core of the attack is a malicious file, identified as “igfxtrayex.exe” on victims’ Windows systems.  That file is described as a malicious disk wiper with network beacon capabilities.

One theory has the attacks on Sony Pictures as retaliation for the release of The Interview, a movie about an attempt to assassinate North Korean leader Kim Jong Un.
One theory has the attacks on Sony Pictures as retaliation for the release of The Interview, a movie about an attempt to assassinate North Korean leader Kim Jong Un.

The FBI said it had “HIGH confidence” in the information contained in its report.

The warning marked a worrisome escalation in threats, according to one executive at a leading IT consulting firm who had reviewed the FBI FLASH alert.

“This is what I have been fearing,” he said. While Sony Pictures Entertainment doesn’t qualify as ‘critical infrastructure,’ the same kind of attack on a leading bank or exchange could throw the economy into turmoil, he observed. “When you consider the idea of this kind of destructive malware in a financial institution? Even one hour of downtime in a cornerstone bank could crush our economy,” he said.

Theories about the purpose of the attack on Sony abound. One of the more colorful explanations has the destructive cyber attack as retribution for The Interview, a new Sony film due out at Christmas starring Seth Rogen and James Franco as western journalists who score an interview with North Korean dictator Kim Jong Un, and are then instructed by the U.S. Central Intelligence Agency to assisinate him. The government of the Democratic Peoples Republic of Korea (DPRK) publicly criticized Sony for plans to release the film and lodged a complaint with the United Nations.