Investigators looking into the Bangladesh bank cyber heist have revealed that the evidence of a specific malware discovered in the attack has the “same unique characteristics” as malware found in the infamous Sony studios breach from 2014.
Security firm BAE Systems has revealed its analysis of the malware used in the $81 million cyber heist of Bangladesh Bank’s NY Fed Reserve account. The malware contained links to the same malware and tools used in the 2013 attack on Sony Pictures.
The common link between the two attacks was a file-deletion function with a wipe-out capability in a file called msoutc.exe, a file which researchers stated contained identical features to the malware used in the Sony breach.
The researchers stated:
The implementation of this function is very unique. It involves complete filing of the file with the random data to occupy all associated disk sectors, before the file is deleted.
“The file-delete function itself is also unique. The file is first renamed into a temporary file with a random name, and that temporary file is also deleted,” researchers noted.
Related read: Sony Hacked and Blackmailed
Another co-relation to the Sony breach was the specific use of Visual C++ 6.0 to develop the malware, notable with the spelling errors that are evident with both attacks.
The FBI had notably blamed North Korea for the breach affecting Sony, with the country refuting such claims and denying any involvement. Security firm FireEye which has since been hired by Bangladesh Bank to investigate the breach has stated that it had found evidence that hacking groups from North Korea and Pakistan were involved in the attack.
BAE’s report strongly asserts that the analysis of malware brings enough evidence that the same malware author behind the Sony attacks is also linked to the recent bank heist, even though researchers admit that discovering the source of an attack is often an impossible task.
Noting that there are indeed possibilities that may lead to an “alternative hypothesis,” the security researchers further stated that such a possibility is “unlikely.” They add, “we believe that the same coder is central to these attacks.”
In a statement that claims to have made significant inroads into the investigation, the researchers further stated:
Who the coder is, who they work for, and what their motivation is for conducting these attacks cannot be determined from the digital evidence alone. However, this adds a significant lead to the investigation.
Image credit: Pixabay.