Malware that wiped hard drives of infected machines and attached drives may have been built using GonDad exploit kit

A wave of cyberattacks that targeted South Korean banks and media networks today employed destructive malware that wiped the hard drives and attached drives of infected machines, crippling the organizations for hours as data was lost and the infected machines were unable to reboot.

Details of the attacks are still coming to light, but security experts have gotten a close-up look at the malware that was used in the attacks. One theory being studied by Symantec and other security firms is whether the malware initially was spread via drive-by attacks, specifically with a waterhole strategy that infected websites that users at those organizations would frequent, but Symantec says it has not confirmed that vector. Security firm Avast, meanwhile, suggests that the attack originated from a legitimate Korean website, Korea Software Property Right Council (SPC), that housed the malware.

Reports came out of South Korea today that computer screens went blank at 2 p.m. local time/5:00 a.m. GMT. The machines were defaced with a message from "The WhoIs Team" warning that the attackers had all of the victims' user accounts and data -- and that they had deleted the data. "We'll be back soon," the messages also said. Television media outlets YTN, MBC, and KBS were targeted, as were two major banks, Shinhan Bank and NongHyup Bank, according to Reuters. Other reports said Korean ISP LG U+, which provides services to some of the victims, also was breached in the attacks.

South Korean military and government networks weren't infected, but the Korean army raised its alert level amid worries that North Korea was behind the attacks given the escalating tensions between the nations. North Korea several days ago claimed that South Korea and the U.S. were behind attacks that knocked several of its websites offline for close to two days -- all of that in the wake of recent nuclear threats from North Korea, as well as drones and rocket attack exercises conducted by North Korea.

While the data-wiping attack against South Korean banks and media outlets has the earmarks of hacktivists, attribution is difficult. So far, there's no confirmation of a larger cyberwar campaign by North Korea or another nation, but not surprisingly, that was one of the initial concerns when the attacks hit. The signs could be mere false flags as well, aimed to throw investigators off the trail of the real attackers.

Another theory is that China is behind the attacks on South Korea. That was the conclusion of security firm Avast after studying the malware and finding several Chinese words and other clues in the malware. "The attack probably originates in China. Aside from location of the final (laoding521.eicp.net), which is in China, analysis of both 2nd and 3rd stage executable makes us think so. First of all, file names like tongji (statistics), tong (connect), pao (run) are definitely Chinese," according to its blog post today, pointing out some Chinese words in the code.

Regardless of who is behind them, the attacks resemble the one that hit Saudi Aramco last year, wiping data from some 10,000 machines and crippling the company's internal network, which is believed to have used the data-destroying Shamoon malware. Even so, the malware used in the South Korean attacks is different from Shamoon in some ways, says Liam O Murchu, manager of operations at Symantec Security Response. "It operates differently ... but it's still destructive," Murchu says.

It was specifically written for Korean targets, for instance, and checks for Korean antivirus products to disable, Murchu says. In addition, it overwrites the Master Boot Record (MBR), wipes the contents of the hard disk, and has the ability to do the same on any attached or mapped drives. It also renders the machine unusable without the MBR and drive. Symantec has named the malware Trojan Horse/Trojan.Jokra and WS.Reputation.1.

"It is likely that the group that is called 'Whois Team' is a new one [and] just decided to deface the LG-owned website after they watched the news and they found about the attacks affecting the banks and media systems," says Jaime Blasco, labs manager at Alien Vault Labs. "Another possibility is that a sophisticated group of attackers gained access to the banks and media systems, performed whatever actions they wanted to do, and then wiped all the systems to clean their tracks."

Or the attackers merely wanted to create panic and financial loss to the victims, he says. "The LG-owned website hack can also be a diversionary tactic or false flag operation to give false data about who is behind the attacks," Blasco says.

The malware may have been created using the GonDad exploit kit available on the black market, based on the filenames used in the attack, he says, although that's just a theory for now.

"I would say that the attackers could have build/buy access to a botnet that had infected systems from the affected entities -- media and banking, etc. -- and then they could have gained access to the network, get admin credentials, and executed the wiper payload," he says.

[Old-school but painful data-destroying malware attacks in the Middle East a red flag to revisit incident response, recovery. See The Data-Annihilation Attack Is Back.]

"Obviously, the attacks were designed to be 'loud' -- the victims are broadcasting companies and banks. This makes us think we are not dealing with a serious, determined adversary but script kiddies or hacktivists looking for quick fame," Kaspersky lab analysts wrote in a blog post today.

Kaspersky analysts say it's hard to tell whether this was an isolated attack or part of a larger "cyberwar" initiative. "If a nation state is NOT behind these attacks, then it's just cyber-terrorism; cyberwar requires a nation state to be behind the attacks. In general, if the attacks target critical infrastructure, they can be considered cyber-terrorism. According to the definition of critical infrastructure, banks can be considered as such, therefore, this counts as a cyberterrorism attack," they said. "Previous incidents like Stuxnet and Wiper were part of an ongoing cyberwar campaign that went for years, although in a more stealthy fashion."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights