Department of Homeland Security (DHS) has released a new intelligence report about discovering a new strain of destructive malware called SMASHINGCOCONUT which shares many resemblances with malware used in the Sony attack in November 2014.
According to Foreign Policy “ On Dec. 17, 2017, advanced persistent threat actors deployed newly discovered destructive malware that shares a number of similarities to the destructive malware used in the Sony attack, according to a restricted report issued late last year. This is the the first known instance since 2014 that North Korea-tied destructive malware has been seen, says the report, marked For Official Use Only.”
The report did not confirm whether the malware was deployed by North Korean hackers or can be linked back to North Korea.
According to DHS report, the malware is a 32-bit windows based wiper which is capable of rendering a Windows-based system inoperable if run using administrator privileges.
Once the malware is installed, it requires command line argument from the attacker to execute it which will be any combination of characters.
If the malware is successfully installed, it will delete all the files and overwrite the master boot record (MBR) with the hard-coded data. The malware will also delete all the bootable and non-bootable partition of the system.
The malware will also halt critical windows services which alert the users about the malicious activity and “prevent log creation for transmission control protocol/Internet Protocol (TCP/IP) network activity, user logon, and power-related system events” said DHS.
After the malware finished the wiping procedures, a system reboot will be initiated before the system is rendered unusable and if the malware is executed under non-administrator privileges, it cannot modify system files, folders, and physical drives.
“if the malware executes under non-administrative privileges, its ability to modify system files, folders and physical drives is eliminated. Under this scenario, the malware will only affect the victim based on the level of user’s privileges.”