A newly identified malware, SMASHINGCOCONUT, bears a striking resemblance to malware used by North Korea in a November 2014 cyberattack on Sony, the Department of Homeland Security (DHS) said in an intelligence note.
DHS described the malware as a “32-bit Microsoft Windows-based wiper malware capable of rendering a Windows-based system inoperable if run using administrator privileges,” according to Foreign Policy, which obtained a copy of the note.
After the malware installs, a cyber actor must insert a command line argument to execute it and from there the malware deletes all files as well as writes over the master boot data record, replacing it with hard-coded data. Additionally, it turns its venom on the bootable and non-bootable partitions on the hard drive, deleting them all. Users' ability to spot the malicious and mitigate malicious activity is greatly compromised because the malware halts critical Windows services designed to alert them and prevents “log creation for transmission control protocol/Internet Protocol (TCP/IP) network activity, user logon and power-related system events,” DHS said.
But “if the malware executes under non-administrative privileges, its ability to modify system files, folders and physical drives is eliminated,” the note said, explaining that it will affect only the victim according to that user's privileges.