Log wipers, timestompers may have helped hackers stay quiet in terabyte raids.
Damballa researchers Willis McDonald and Loucif Kharouni say the attackers who flayed Sony Pictures with disk-cleansing malware may have stayed hidden using newly-uncovered anti-forensics tools.
The pair found the updated weaponry in the latest version of the Destover malware, best known as the malware that in November last year erased data across workstations at Sony Pictures.
North Korea was blamed by the United States for the attack, a claim Pyongyang denies.
Now McDonald and Kharouni say Destover attackers which may include the Sony hackers are using tools to change file time stamps and erase logs.
“The Destover trojan is a wiper that deletes files off of an infected system, rendering it useless … for ideological and political reasons not for financial gain,” the pair of researchers say.
“Much was revealed In the weeks and months following these breaches, except for how attackers were able to stay undetected within the network long enough to expand their presence and exfiltrate Terabytes of sensitive information.”
The tools include the timestamp-stomping setMFT, which manipulates timestamps to throw off investigators unless files are checked against logs and dates.
The afset tool can wipe Windows logs based on time and identity, and alter PE build time and checksum. The utility is valuable to attackers and would allow attackers to erase their tracks while they move laterally through corporate networks.
“A full forensic analysis of a system would reveal the presence of afset and missing log activity but it’s likely this activity would go undetected initially creating high-risk infection dwell time,” they say.
Sony Pictures went into lockdown after the breach in which terabytes of sensitive data was stolen, most of which ended up online.