The security researcher at Google Neel Mehta published a mysterious tweet using the #WannaCryptAttribution hashtag. What did he mean?
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution
— Neel Mehta (@neelmehta) May 15, 2017
According to experts at Kaspersky, the string is a portion of code that Neel noticed in a very early variant of WannaCry ransomware found in February 2017 and in one of the malware used by the notorious Lazarus APT group dated back February 2015.
— Matthieu Suiche (@msuiche) May 15, 2017
What does it all mean?
The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.
This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.
The experts at Symantec have spotted in the past at least three strains of malware used by the group, Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee, which have been used in targeted attacks against financial institutions.
The attackers exploited “watering holes” in order to infect the machines of a specific audience with previously unknown malware.
Is it possible that attackers behind the WannaCry have used a false flag?
Experts from Kaspersky believe that the theory of a false flag is improbable because the portion of shared code appears only in the early version of WannaCry, but was removed later.
“For now, more research is required into older versions of Wannacry. We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry.” reads a blog post shared by Kaspersky Lab.
The question is: is there a link between early February WannaCry variant and the sample used in the recent massive cyber attacks?
According to Kaspersky, the answer is “YES”. The recent variant is able to target more file extension targets for encryption.
“We strongly believe the February 2017 sample was compiled by the same people, or by people with access to the same sourc ecode as the May 2017 Wannacry encryptor used in the May 11th wave of attacks.” continues Kaspersky.
Kaspersky shared the YARA rule used to find the WannaCry sample.
Let me close with the analysis shared by Matthieu Suiche from Comae:
“The attribution to Lazarus Group would make sense regarding their narrative which in the past was dominated by infiltrating financial institutions in the goal of stealing money.
If validated, this means the latest iteration of WannaCry would in fact be the first nation state powered ransomware.
This would also mean that a foreign hostile nation would have leveraged lost offensive capabilities from Equation Group to create global chaos.
In the meantime, a third kill switch appeared in the wild
ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com — the fact it contains
lmaowould mean, if the above attribution is correct, that the attacker is purposely sending multiple messages:
(Security Affairs – WannaCry ransomware, cybercrime)