Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Analyze Data-Wiping Malware Used in Sony Attack

Researchers from Trend Micro say they have identified the piece of malware that appears to have been used in the recent cyberattack targeting the corporate network of Sony Pictures.

Researchers from Trend Micro say they have identified the piece of malware that appears to have been used in the recent cyberattack targeting the corporate network of Sony Pictures.

The group of hackers that targeted Sony, called GOP (Guardians of Peace), claims to have obtained terabytes of data from the company’s networks, including unreleased movies, business documents and employee information.

The FBI has launched an investigation into the attack, and the agency has sent out an alert to warn organizations of a destructive piece of malware that had been utilized in an attack against a target in the U.S. The FBI memo doesn’t mention Sony as the victim, but experts say the federal law enforcement agency’s five-page “flash warning” describes the attack on the entertainment company.

Trend Micro detects the threat as BKDR_WIPALL. Researchers have determined that the attack starts with BKDR_WIPALL.A, which is the main installer and is disguised as an executable file named “diskpartmg16.exe.”

Malware Used Against Sony in Attack

The threat uses an encrypted set of usernames and passwords to log into the targeted organization’s shared network. The goal is to grant full access to everyone that accesses the system root, researchers explained in a blog post.

BKDR_WIPALL.A drops BKDR_WIPALL.B (disguised as a file named “igfxtrayex.exe“), which is the piece of malware responsible for causing damage. Once it’s dropped, BKDR_WIPALL.B sleeps for 10 minutes, after which it starts deleting files and stops the Microsoft Exchange Information Store service. The threat then sleeps for two hours and forces a system reboot.

According to researchers, BKDR_WIPALL.B also executes copies of itself with various parameters to carry out tasks such as deleting files stored on fixed and remote drives, and dropping additional components, including “usbdrv32.sys,” which gives attackers read/write access to installed files.

Trend Micro made the connection between BKDR_WIPALL and the Sony Pictures attack after discovering a different variant, detected as BKDR_WIPALL.D, that is designed to drop BKDR_WIPALL.C. In turn, BKDR_WIPALL.C drops an image file called “walls.bmp,” which is the exact “Hacked by GOP” picture that was seen by Sony employees just before the company’s corporate network was shut down due to the attack.

Reports surfaced last week about a possible involvement of North Korea in the operation against Sony. The attack was believed to be in response to “The Interview,” a comedy about an attempt to assassinate North Korean leader Kim Jong-Un. North Korean officials denied that the country had anything to do with the hack and Sony representatives said the reports were “not accurate.”

On Wednesday, Sony said the “brazen” cyberattack netted a “large amount” of confidential information, including movies as well as personnel and business files.

The investigation into the attack is ongoing, and while Sony has not provided many details so far, the company has hired FireEye-owned Mandiant to help with the forensics aspect of the investigation.

Related: Sony Slams ‘Malicious’ Hack Attack, Mum on North Korea

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.