There’s new evidence tying WCry ransomware worm to prolific hacking group
on
Get link
Facebook
X
Pinterest
Email
Other Apps
Dan Goodin
Researchers have found more digital
fingerprints tying this month's WCry ransomware worm to the same
prolific hacking group that attacked Sony Pictures in 2014 and the
Bangladesh Central Bank last year.
On Monday, researchers from security firm
Symantec presented additional evidence that further builds the case that
WCry, which is also known as WannaCry, is closely linked to Lazarus
Group. The evidence includes:
The discovery of three pieces of malware previously linked
to Lazarus Group that were left on a network hit in the first-known
infection of WCry, in February. The malware included Trojan.Volgmer and
two variants of Backdoor.Destover, the disk wiping tool used in the Sony
Pictures attacks.
Trojan.Alphanc, which was used to spread WCry in attacks that took
place in March and April attacks, is a modified version of
Backdoor.Duuzer, which has previously been linked to Lazarus.
Bravonc, another trojan used to install WCry onto computers
in earlier attacks, used the same IP addresses for command and control
as Duuzer and Destover.
Bravonc has similar code obfuscation as WCry and Infostealer.Fakepude, another piece of malware linked to Lazarus Group.
Newly discovered similarities between Contopee and the WCry ransomware itself
The similarities in tools, techniques, and
infrastructure, Symantec researchers said, make it "highly likely that
Lazarus was behind the spread of WannaCry." In a blog post, they wrote:
The earlier versions of WannaCry and the one
used in the May 12 attacks are largely the same, with some minor
changes, chiefly the incorporation of the EternalBlue exploit. The
passwords used to encrypt the Zip files embedded in the WannaCry dropper
are similar across both versions ("wcry@123", "wcry@2016", and
"WNcry@2ol7") indicating that the author of both versions is likely the
same group.
The small number of Bitcoin wallets used by
first version of WannaCry, and its limited spread, indicates that this
was not a tool that was shared across cyber crime groups. This provides
further evidence that both versions of WannaCry were operated by a
single group.
In addition to the previously discovered
identical code found in both WCry and Contopee, Symantec researchers say
one variant of Contopee uses a custom Secure Sockets Layer
implementation—including a set of 75 different ciphers—found in WCry.
The OpenSSL crypto library, by comparison, provides more than 300
ciphers, making it unlikely both pieces of malware would offer precisely
the same subset.
Security researchers have long warned that
attributing hacking operations and malware to specific groups is an
imprecise undertaking that's frequently fraught with errors. Readers
should keep those caveats front and center as they digest Symantec's
findings. Still, the new similarities indicate that industry-wide
agreement is growing that Lazarus Group was somehow involved in the WCry
outbreak earlier this month. Don't be surprised if additional
researchers unearth new similarities.
Comments
Post a Comment