New Variant of KillDisk Malware Target Financial Organization in Latin America

KillDisk Malware

Researchers at Trend Micro spotted a new variant of disk wiping KillDisk malware targeting financial organization in Latin America.

Earlier in January, a variant of  KillDisk malware was seen targeting financial organization in Latin America.

In May, researchers discovered a master boot record (MBR)-wiping malware in Latin America. A bank was also infected with the malware resulting in disruptions of operation over a week.

“Last May, we uncovered a master boot record (MBR)-wiping malware in the same region. One of the infected organizations was a bank whose systems were rendered inoperable for several days, thereby disrupting operations for almost a week and limiting services to customers. “ said in the post published by Trend Micro

The attack was just a distraction the real goal was to get access to the systems connected to the bank’s local SWIFT network.

Based on the error message displayed in the affected researchers were able to determine the malware was another variant of KillDisk.

KillDisk malware
Source: Trend Micro

In the initial analysis discovered the file was created using Nullsoft Scriptable Install System (NSIS), an open-source application used to create setup programs.

The attackers named the file as  “MBR Killer” and was protected with VMProtect which is a tool used to protect against reverse engineering.

Researchers did not find any evidence of command-and-control (C&C) infrastructure or communication in the sample file.

Working of KillDisk Malware

The malware will wipe all the physical hard disk found on the infected system. The KillDisk uses the application programming interface (API) CreateFileA to \\.\PHYSICALDRIVE0 to retrieve the handle of the hard disk.

The malware then overwrites the first sector of the disk (512 bytes) with “0x00” and force the system to shutdown via the API ExitWindows.

KillDisk malware
Source: Trend Micro

“The destructive capabilities of this malware, which can render the affected machine inoperable, underscore the significance of defense in depth: arraying security to cover each layer of the organization’s IT infrastructure, from gateways and endpoints to networks and servers.”

 

Comments

Please rate this content