Cyberattacks targeting South Korean Banks and Media (Mar 22, 2013)


The Dell Sonicwall Threats Research team observed reports of new cyber attacks targeting banks and broadcasting companies in South Korea. The malware involved in these attacks brought down multiple websites and interrupted Bank transactions by overwriting the Master Boot Record (MBR) and all the logical drives on the infected servers rendering them unusable.

Infection Cycle:

  • Upon execution, the malware involved in these attacks drops following files on the infected system:
    • %TEMP%alg.exe – UPX packed PuTTY file Plink (a command-line interface to the PuTTY back ends)
    • %TEMP%conime.exe – UPX packed PuTTY file PSCP (command-line secure file copy client)
    • %TEMP%AgentBase.exe [ Windows Wiper – Detected as GAV: KillDisk.NAS (Trojan)]
    • %TEMP%~pr1.tmp [ Unix Wiper – Detected as GAV: Linux.KillMBR (Trojan)]

  • File ~pr1.tmp is a malicious bash script intended to wipe off data from HP-UX, AIX, SunOS and other Linux distributions. It also wipes off data from any mounted shares on these systems.
  • The malware looks for stored SSH session credentials for mRemote and SecureCRT applications at specific locations in order to identify more potential target systems on the network.
  • It uses the dropped UPX packed PSCP executable – conime.exe to transfer the Unix Wiper bash script onto the identified Unix systems and then remotely executes it using the dropped UPX packed Plink executable – alg.exe.
  • It then executes the dropped Windows Wiper executable AgentBase.exe. Windows Wiper checks for active security processes belonging to two local AV companies – AhnLab and HAURI, and attempts to terminate them as seen below:
  • It then creates a local thread responsible for overwriting 0x1E0 bytes of MBR with one of the following strings:

    • PR!NCPES
    • HASTATI.
  • The malware overwrites the same string to all the logical and removable drives it finds on the infected system. It then forces the system to restart via the following command – shutdown -r -t 0 , making it completely unavailable to the user.
  • SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: KillDisk.NAS (Trojan)
    • GAV: (Cloud Id: 13031960) EncPk.CR (Trojan)
    • GAV: (Cloud Id: 13060749) KillMBR.Y (Trojan)
    • GAV: KillMBR.Y (Trojan)
    Security News
    The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.