How Deep Discovery Protected Against The Korean MBR Wiper

We have continued to look into the MBR-wiping attacks that hit Korea earlier. We believe we now have a good picture of how the attack was conducted, why it caused so much damage, and how we were able to protect users using the threat discovery capabilities found in Trend Micro Deep Discovery.

On March 19, we saw the first indications of this attack, where South Korean organizations received a spam message that contained a malicious attachment. The message posed as coming from a bank. The attachment is actually a downloader, which downloaded 9 files from several different URLs. To hide the malicious routines, a fake website is shown.

It was at this stage that Deep Discovery was able to protect our customers by heuristically detecting the malicious attachment via ATSE (Advanced Threat Scan Engine). Deep Discovery executed the attachment in a sandbox, which was used to generate a list of URLs that was used to block these attacks right away. The URLs found at this stage were then blocked. The combination of information provided by Deep Discovery and decisive actions by IT administrators was able to ensure our customers were protected in a timely manner. The screenshot below shows the appearance of the alerts:

A Trojan dropper was pushed to endpoints via certain central management servers, effectively spreading the malware to systems connecting to the said server. It drops the following four components:

a bash script
a Master Boot Record (MBR) wiper
a PuTTY SSH client
a PuTTY SCP client

The most-well known component here is the MBR wiper. This MBR wiper is first dropped on Windows systems. It is set to sleep until March 20 at 2:00 PM. Upon the said date and time, the malware is activated. It terminates certain processes. It searches remote connections stored by the following applications: mRemote and SecureCRT. It uses any stored root credentials to log into remote Linux servers: for AIS, HP-UX, and Solaris servers it wipes the MBR. If it is unable to wipe the MBR, it instead deletes the folders /kernel/, /usr/, /etc/, /home/.

It then overwrites the local MBR using the words “PRINCPES”, “HASTATI”, and “PR!NCIPES”. The malware then automatically restarts the system. When the system restarts, due to the damaged MBR, the system is unable to boot.

The reader can instantly see how this attack was able to cause significant amounts of damage. It rendered Windows, Linux, and Unix systems unable to boot, and administrators would be unable to quickly repair any damage caused. In addition, as we mentioned in the previous post, cleanup can be time-consuming.

This highlights the importance of a proper custom defense solution in finding threats to act upon. Deep Discovery was able to identify and provide information that proved useful to IT administrators to help protect users.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

How Deep Discovery Protected Against The Korean MBR Wiper