There have been various pieces of information floating around in regards to the recent Sony breach. We have been groking netflow data, emails from the attackers, and correlating information shared privately and publicaly.
Searching various partner repositories we had discovered a likely related piece of malware that predates information listed in the recent FBI flash report. The original compile time on this malware is dated as July 7th, 2014, further providing deeper clues on the topic.
- Partner ThreatGrid / Cisco
1) The remote call back IP is the correlation. -
220.127.116.11*(Listed in recent FBI Flash advisory)
igfxtpers.exe*(Listed in recent FBI Flash advisory)
Takeaways and Further Pointers:
- 1) The date of this sample 08/28/14.
- 2) The compile time of this binary -
Mon Jul 7 08:01:09 2014 UTC
- 3) Other IPs related with this sample: