Cyberattacks targeting South Korean Banks and Media

April 4, 2013

The Dell Sonicwall Threats Research team observed reports of new cyber attacks targeting banks and broadcasting companies in South Korea. The malware involved in these attacks brought down multiple websites and interrupted Bank transactions by overwriting the Master Boot Record (MBR) and all the logical drives on the infected servers rendering them unusable.

Infection Cycle:

  • Upon execution, the malware involved in these attacks drops following files on the infected system:
    • %TEMP%alg.exe - UPX packed PuTTY file Plink (a command-line interface to the PuTTY back ends)
    • %TEMP%conime.exe - UPX packed PuTTY file PSCP (command-line secure file copy client)
    • %TEMP%AgentBase.exe [ Windows Wiper - Detected as GAV: KillDisk.NAS (Trojan)]
    • %TEMP%~pr1.tmp [ Unix Wiper - Detected as GAV: Linux.KillMBR (Trojan)]

  • File ~pr1.tmp is a malicious bash script intended to wipe off data from HP-UX, AIX, SunOS and other Linux distributions. It also wipes off data from any mounted shares on these systems.

  • The malware looks for stored SSH session credentials for mRemote and SecureCRT applications at specific locations in order to identify more potential target systems on the network.

  • It uses the dropped UPX packed PSCP executable - conime.exe to transfer the Unix Wiper bash script onto the identified Unix systems and then remotely executes it using the dropped UPX packed Plink executable - alg.exe.

  • It then executes the dropped Windows Wiper executable AgentBase.exe. Windows Wiper checks for active security processes belonging to two local AV companies - AhnLab and HAURI, and attempts to terminate them as seen below:

  • It then creates a local thread responsible for overwriting 0x1E0 bytes of MBR with one of the following strings:

    • PR!NCPES
    • PRINCPES
    • HASTATI.

  • The malware overwrites the same string to all the logical and removable drives it finds on the infected system. It then forces the system to restart via the following command - shutdown -r -t 0 , making it completely unavailable to the user.

    • SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: KillDisk.NAS (Trojan)
    • GAV: (Cloud Id: 13031960) EncPk.CR (Trojan)
    • GAV: (Cloud Id: 13060749) KillMBR.Y (Trojan)
    • GAV: KillMBR.Y (Trojan)