Information about the South Korean banks and media systems attacks

March 20, 2013 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

As many of you would probably know several South Korean banks and media companies have been affected by an attack that has wiped several systems.

It seems the South Korean security company Nshc has published more details on his Facebook Page

Based on the samples we collected, the malware overwrites the MBR (Master Boot Record) of the system. After reboot the system can’t boot anymore.

The samples use the word “HASTATI” to overwrite the MBR data:

And then shuts down the system using:

shutdown -r -t 0

We have seen that the samples checks for the presence of several security tools:

AhnLab Policy Agent - pasvc.exe

Hauri ViRobot - clisvc.exe

And tries to kill them using taskkill:

taskkill /F /IM pasvc.exe

taskkill /F /IM clisvc.exe

Within the samples we found references to three words:

PRINCPES

HASTATI.

NCPES

According to Wikipedia. “Hastati (singular: Hastatus) were a class of infantry in the armies of the early Roman Republic who originally fought as spearmen, and later as swordsmen. They were originally some of the poorest men in the legion, and could afford only modest equipment—light armour and a large shield, in their service as the lighter infantry of the legion. Later, the hastati contained the younger men rather than just the poorer, though most men of their age were relatively poor. Their usual position was the first battle line. They fought in a quincunx formation, supported by light troops. They were eventually done away with after the Marian reforms of 107 BC”

Related samples:

ApcRunCmd.exe db4bbdc36a78a8807ad9b15a562515c4

OthDown.exe 5fcd6e1dace6b0599429d913850f0364

0a8032cd6b4a710b1771a080fa09fb87

f0e045210e3258dad91d7b6b4d64e7f3

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

TAGS:

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL