Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Analyze Data-Wiping Malware Used in Sony Attack

Researchers from Trend Micro say they have identified the piece of malware that appears to have been used in the recent cyberattack targeting the corporate network of Sony Pictures.

Researchers from Trend Micro say they have identified the piece of malware that appears to have been used in the recent cyberattack targeting the corporate network of Sony Pictures.

The group of hackers that targeted Sony, called GOP (Guardians of Peace), claims to have obtained terabytes of data from the company’s networks, including unreleased movies, business documents and employee information.

The FBI has launched an investigation into the attack, and the agency has sent out an alert to warn organizations of a destructive piece of malware that had been utilized in an attack against a target in the U.S. The FBI memo doesn’t mention Sony as the victim, but experts say the federal law enforcement agency’s five-page “flash warning” describes the attack on the entertainment company.

Trend Micro detects the threat as BKDR_WIPALL. Researchers have determined that the attack starts with BKDR_WIPALL.A, which is the main installer and is disguised as an executable file named “diskpartmg16.exe.”

Malware Used Against Sony in Attack

The threat uses an encrypted set of usernames and passwords to log into the targeted organization’s shared network. The goal is to grant full access to everyone that accesses the system root, researchers explained in a blog post.

BKDR_WIPALL.A drops BKDR_WIPALL.B (disguised as a file named “igfxtrayex.exe“), which is the piece of malware responsible for causing damage. Once it’s dropped, BKDR_WIPALL.B sleeps for 10 minutes, after which it starts deleting files and stops the Microsoft Exchange Information Store service. The threat then sleeps for two hours and forces a system reboot.

According to researchers, BKDR_WIPALL.B also executes copies of itself with various parameters to carry out tasks such as deleting files stored on fixed and remote drives, and dropping additional components, including “usbdrv32.sys,” which gives attackers read/write access to installed files.

Trend Micro made the connection between BKDR_WIPALL and the Sony Pictures attack after discovering a different variant, detected as BKDR_WIPALL.D, that is designed to drop BKDR_WIPALL.C. In turn, BKDR_WIPALL.C drops an image file called “walls.bmp,” which is the exact “Hacked by GOP” picture that was seen by Sony employees just before the company’s corporate network was shut down due to the attack.

Reports surfaced last week about a possible involvement of North Korea in the operation against Sony. The attack was believed to be in response to “The Interview,” a comedy about an attempt to assassinate North Korean leader Kim Jong-Un. North Korean officials denied that the country had anything to do with the hack and Sony representatives said the reports were “not accurate.”

On Wednesday, Sony said the “brazen” cyberattack netted a “large amount” of confidential information, including movies as well as personnel and business files.

The investigation into the attack is ongoing, and while Sony has not provided many details so far, the company has hired FireEye-owned Mandiant to help with the forensics aspect of the investigation.

Related: Sony Slams ‘Malicious’ Hack Attack, Mum on North Korea

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.