Researchers at Trend Micro spotted a new variant of disk wiping KillDisk malware targeting financial organization in Latin America.
Earlier in January, a variant of KillDisk malware was seen targeting financial organization in Latin America.
In May, researchers discovered a master boot record (MBR)-wiping malware in Latin America. A bank was also infected with the malware resulting in disruptions of operation over a week.
“Last May, we uncovered a master boot record (MBR)-wiping malware in the same region. One of the infected organizations was a bank whose systems were rendered inoperable for several days, thereby disrupting operations for almost a week and limiting services to customers. “ said in the post published by Trend Micro
The attack was just a distraction the real goal was to get access to the systems connected to the bank’s local SWIFT network.
Based on the error message displayed in the affected researchers were able to determine the malware was another variant of KillDisk.
In the initial analysis discovered the file was created using Nullsoft Scriptable Install System (NSIS), an open-source application used to create setup programs.
The attackers named the file as “MBR Killer” and was protected with VMProtect which is a tool used to protect against reverse engineering.
Researchers did not find any evidence of command-and-control (C&C) infrastructure or communication in the sample file.
Working of KillDisk Malware
The malware will wipe all the physical hard disk found on the infected system. The KillDisk uses the application programming interface (API) CreateFileA to \\.\PHYSICALDRIVE0 to retrieve the handle of the hard disk.
The malware then overwrites the first sector of the disk (512 bytes) with “0x00” and force the system to shutdown via the API ExitWindows.
“The destructive capabilities of this malware, which can render the affected machine inoperable, underscore the significance of defense in depth: arraying security to cover each layer of the organization’s IT infrastructure, from gateways and endpoints to networks and servers.”