New Destover malware features two new timestomping utilities

Security company, Damballa, has discovered two new utilities for 'wiping malware', like Destover, which allow it to better hide its tracks and disguise itself among your regular files

Destover malware left its mark on Sony Entertainment
Destover malware left its mark on Sony Entertainment

A new toolset has been discovered for 'wiping malware' Destover which broadens its attack surface according to security company Damballa.

The company wrote in a blog post released earlier this week that they had discovered two files closely related to the Destover malware which “would be used during an attack to evade detection while moving laterally through a network to broaden the attack surface”.

The two discovered utilities, setMFT and afset, add notable new functionality to the 'wiping malware'.

SetMFT, the blogpost notes “is used to copy the timestamp settings from a source file on disk to a destination file, also called timestomping.” This allows malicious files to disguise themselves as legitimate ones.

Afset is also used to ‘timestomp' but can clean Windows logs to better disguise the evidence of that malicious behaviour: “It allows the attacker to remain stealthy and erase their tracks as they move through the network,” said the blogpost.

Willis McDonald, a senior threat researcher at Damballa spoke to SCMagazineUK.com on the significance of these two utilities: “In order for Destover to make a huge impact it's important for the attacker to infect as many systems as possible in a victim's organisation without being discovered. SetMFT and afset help with spreading by allowing the attacker to clean their tracks as they spread and camouflage malicious files that they leave behind.”

'Wiping malware', like Destover, is responsible for some of the more infamous hacks in recent memory and, according to security researchers, it's getting better all the time. It does exactly what you might have guessed it does. It doesn't take money or steal credentials – it merely infects a computer and wipes every piece of data off it.

Destover was at the heart of the attack on Sony last year which resulted in the leaking of masses of data from the entertainment giant. Included in that leak was personal information, private correspondence and a number of embarrassing secrets for their executives. The breach was carried out by a group calling themselves the Guardians of Peace, widely believed by intelligence officials to be linked to the North Korean government. They were reportedly responding to a film that Sony was set to release, The Interview, about a fictitious assassination plot against North Korean leader Kim Jong un.

The other notable instance of the use of 'wiping malware' was the hack against Saudi Arabian oil company, Saudi Aramco. In August 2012, 30,000 of the company's workstations were hit with the Shamoon virus, related to Destover, by a group calling themselves “Cutting Sword of Justice” and Aramco was essentially shut down for a week. 

This single attack actually drove up the price of hard drives, as an estimated 50,000 would be needed to fully recover from the Shamoon attack. A statement of intentions was published on that favourite site of hackers, Pastebin, saying that the group had acted on “behalf of an anti-oppression hacker group that have been fed up of crimes and atrocities taking place in various countries around the world”. 

The statement added, “One of the main supporters of this disasters is Al-Saud corrupt regime that sponsors such oppressive measures by using Muslims oil resources. Al-Saud is a partner in committing these crimes. It's hands are infected with the blood of innocent children and people.”

Damballa's researchers note that Destover has a kind of political flavour to it, as opposed to other kinds of malware which are made for little more than profit.  

Mcdonald elaborated on this point to SC: “Wiping malware has only one purpose, to cause destruction and disruption within a victim organisation. This type of attack like other political and activist attacks is meant as an amplifier to cause chaos not only within the victim organisation but also within associated organisations within the same industry or who share views similar to the victim.”  

He added, “This is completely unlike financially motivated malware which focuses on gathering information that can be used for financial gain such as ransomware which does render data unusable but only for the purpose of obtaining ransom to restore data.”