Deep Discovery Protects Users From MBR-Wiping Trojan In South Korea
On March 20, several attacks hit various South Korean government agencies and corporations, resulting in major disruptions to their operations. The incident started when several of their computer screens went black, while others were showing images of a skull and a “warning”.
However, Trend Micro was able to protect our enterprise users in Korea against this threat. Two of our threat discovery solutions – Deep Discovery Inspector and Deep Discovery Advisor – heuristically detected and reported malicious traffic and messages sent to two Trend Micro customers, which we later determined to be related to this attack. Because our solutions were able to detect this attack in real-time, our customers were not at risk.
We have acquired several samples (detected as TROJ_INJECTO.BDE) related to the event, which we believe were responsible for the main routines seen in this attack. This malware overwrites the Master Boot Record (MBR), with a series of the words HASTATI and PRINCPES. In normal usage, the MBR contains information necessary for any operating system to boot correctly. It then automatically restarts the system. When the system restarts, due to the damaged MBR, the system is unable to boot.
Though this routine of targeting the MBR is not new (this is not unusual in ransomware, which locks systems until users make payments to cybercrime gangs), this makes system cleanup more difficult and time consuming.
Other attacks have also hit South Korean targets at this time. The website of a major electronics conglomerate was defaced. In addition, the websites of several banks may have been compromised and exploits used to plant backdoors on the systems of visitors. At this point, there is no evidence that these attacks were coordinated or connected in any manner; the timing may have been purely coincidental or opportunistic.
Our threat discovery solutions detected this threat as HEUR_NAMETRICK.B in ATSE 9.740.1012. In addition, the malicious files involved in the attacks above are detected by other Trend Micro products and solutions using Official Pattern Release 9.801.00 or later. Our investigation into these attacks are still in progress, and we will release more details at a further time as necessary.