Theories Abound on Wiper Malware Attack Against South Korea

Disruptions to businesses in South Korea continue today after hackers used wiper malware to take a number of banks and television networks offline yesterday. A number of financial systems at a half-dozen banks and production systems inside South Korea’s major television networks remain down, kicking off speculation as to who is behind the attacks and how they got in.

Disruptions to businesses in South Korea continue today after hackers used wiper malware to take a number of banks and television networks offline yesterday. A number of financial systems at a half-dozen banks and production systems inside South Korea’s major television networks remain down, kicking off speculation as to who is behind the attacks and how they got in.

South Korea’s Communications Committee has pinned the blame on computers based in China, and put the damage at 32,000 computers and servers inside the affected organizations. No definitive attribution has been made, and speculation ranges from hacktivism to a state-sponsored attack.

The use of wiper malware, prominent in nation-state attacks on the Aramco oil company in Saudi Arabia and a number of oil companies in Iran, could indicate similar parties behind these attacks. Or it could be an instance where hacktivists have borrowed a page from the APT playbook.

“The most advanced theory would be that they wiped the systems to clean their tracks,” said Jaime Blasco, manager of AlienVault Labs, in an email exchange with Threatpost today. “But with the information I have, I would say they just wanted to create panic and affect the daily business of the companies, that’s why they wiped the systems.”

Hacktivists prey on businesses that step on their social or political causes, and generally will do so using a distributed denial-of-service attack against their targets. The high-profile on-again-off-again DDoS attacks against a number of U.S. banks have frequently disrupted online services since the end of last year. While the group claiming responsibility insists the DDoS attacks are in retaliation for a YouTube film they said is offensive to Muslims, experts scoff that the expertise behind those attacks indicates significant funding and resources.

In this case, the attackers went to the extreme of using malware that overwrites the Master Boot Record of the Windows computers running these local networks. Researchers at FireEye said the malware was programmed to launch at 2 p.m. local time and would check for the version of Windows on which it had landed and begin the process of corrupting the hard drive, as well as disabling security software, in particular Ahn Lab, a South Korea-based antivirus company. Symantec, meanwhile, said the malware stops another process in addition to the Ahn Lab client, Hauri’s ViRobot security product.

Once it enumerates all drives, it begins to overwrite all the hard drive contents with the string “PRINCPES” or “HASTATI.” It will then force a reboot which leaves the computer unusable without it being reformatted.

“The real motives of the attack are also unclear but in recent times there has been a ramping up of political tensions in the Korean peninsula and these attacks may be part of either a clandestine attack or the work of nationalistic hacktivists taking issues into their own hands,” said a post on the Symantec Security Response blog.

Blasco, meanwhile, said there are up to a dozen malicious files associated with this attack. In analyzing a few others aside from the wiper malware, he learned that one named imbc[.]exe clears the DNS cache in Internet Explorer and adds new entries to the etc/hosts file. When IE lands on a bank domain added to the etc/hosts file, it instead points to a malicious IP address, and also starts the task scheduler, adds itself to the registry, and connects to a command and control IP. Two other executables connect to domains hosting the GonDad Exploit Kit registered to the same email address in China. Those domains had infected more than 20 others in South Korea during the past 90 days, Blasco said.

“It means that GonDad is very active at least targeting South Korean users. The actors (maybe cybercriminals) that run those exploit kits can compromise thousands of South Korean users and install malware in the systems that will be part of the attacker’s botnet,” Blasco said, adding that the exploit kit has been primarily pushing banking malware against South Korean targets. “But even if you compromise the systems using a banking malware most of them have capabilities to upload a different payload. As a result if you buy access to those botnets you can just upload your own malware that will be installed in previously compromised systems.”

Blasco theorized that if the attackers had access to this infrastructure, they would have access to thousands of hosts and chosen which were of most interest to their efforts.

“They could have manually uploaded another payload to each of the systems and then could have performed lateral movement to own the network,” he said. “Once they are in the network they can easily execute the wiping payload.”

Suggested articles