December 23, 2024

MBR Wiper Attacks Hit Korean Power Plant: Trend Micro

Posted on December 24, 2014 by in Security

Researchers at Trend Micro revealed details of an attack against a major Korean utility company hit by malware designed to wipe the master boot records (MBR) of compromised computers.

According to Trend Micro, the malware is believed to have infected the targeted systems through a vulnerability in the Hangul Word Processor (HWP), a commonly-used application in South Korea. The attackers used a variety of social engineering lures as well.

“We detect the malware as TROJ_WHAIM.A, which is a fairly straightforward MBR wiper,” according to Trend Micro. “In addition to the MBR, it also overwrites files that are of specific types on the affected system. It installs itself as a service on affected machines to ensure that it will run whenever the system is restarted. Rather cleverly, it uses file names, service names, and descriptions of actual legitimate Windows services. This ensures that a cursory examination of a system’s services may not find anything malicious, helping this threat evade detection.”

“This particular MBR-wiping behavior, while uncommon, has been seen before,” the researchers noted. “We observed these routines in March 2013 when several attacks hit various South Korean government agencies resulting in major disruptions to their operations. The malware involved in this attack overwrote the MBR with a series of the words PRINCPES, HASTATI, or PR!NCPES. The recent attack on Sony Pictures also exhibited a similar MBR-wiping capability.”

Trend Micro also found similarities to the previous MBR wiper attacks as well. All three attacks overwrite the MBR with certain repeated strings; this attack uses the repeating “Who Am I?” string, while the Sony attack used a repeating 0xAAAAAAAA pattern.

The attack on Sony has caused a further rift between North Korea and the United States, as U.S. President Barack Obama promised last week that the United States would offer a proportional response to North Korea’s involvement in the attack.

North Korea has denied any involvement in the incident. The country began suffering Internet outages this week, though the cause of those outages remains unclear.

“While there are definite similarities in the behavior of all these attacks, this is not enough to conclude that the parties behind the attacks are also related,” according to Trend Micro. “All three attacks have been well documented, and it is possible that the parties behind each attack were “inspired” by the others without necessarily being tied. Without sufficient evidence, we cannot make claims either way.”

“These attacks highlight our findings about the destructive, MBR-wiping malware that appear to have become a part of the arsenal of several threat actors,” the researchers added. “This is a threat that system administrators will have to deal with, and not all targeted attack countermeasures will be effective. Techniques to mitigate the damage that these attacks cause should be considered as a part of defense-in-depth networks.”

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

U.S. Leads Way in PoS Malware Infections in Q3: Trend Micro

Posted on December 2, 2014 by in Security

The United States is at the top of the list of countries with the most infections of point-of-sale (PoS) malware during the third quarter of the year, according to research from Trend Micro.

In its threat report for Q3, Trend Micro reported that the U.S. accounted for 30 percent of PoS malware infections. The next three places on the list – Taiwan, Philippines and Italy – each accounted for six percent of infections.

“Early this year, one of the largest retail companies in the U.S. disclosed that approximately 40 million consumer credit and debit card information was compromised as a result of a breach in its systems,” according to the report. “Not long afterward, Home Depot topped that record when it disclosed that more than 100 million customer records that included credit card information was stolen as a result of a payment systems breach. The threat actors behind these breaches attacked the retailers’ point-of-sale (PoS) systems. BlackPOS was implicated in the incident reported early this year, while BlackPOS version 2 was used in the Home Depot breach. This further indicates that PoS networks are highly accessible and vulnerable.”

The report identified three new pieces of PoS malware that were spotted during the third quarter: BrutPOS (Tibrun), Backoff (POSLOGR) and BlackPOS Version 2 (MEMLOG).

Recently, researchers at Trend Micro identified a new piece of PoS malware detected by the firm as TSPY_POSLOGR.K that is designed to read the memory associated with specific processes written in the .INI file. It then saves the data to files named “rep.bin” and “rep.tmp.”

“Based on the other PoS malware behaviors we observed, it appears to be designed as multicomponent malware similar to an earlier BlackPOS variant named TSPY_MEMLOG.A, as it might require another component to retrieve the dumped data,” Anthony Joe Melgarejo, threat response engineer at Trend Micro, explained in a blog post. “It is highly possible that this is deployed as a package.”

The report also noted a spike in online banking malware infections between the second and third quarters. As in the case of PoS malware, the United States was the most affected country, accounting for about 13 percent of infections.

“Our findings confirm that we are battling rapidly moving cybercriminals and evolving vulnerabilities simultaneously,” said Raimund Genes, CTO at Trend Micro, in a statement. “With this fluidity, it’s time to embrace the fact that compromises will continue, and we shouldn’t be alarmed or surprised when they occur.  Preparation is key and as an industry we must better educate organizations and consumers about heightened risks as attacks grow in volume and in sophistication. Understanding that cybercriminals are finding vulnerabilities and potential loopholes in every device and platform possible will help us confront these challenges so technology can be used in a positive way.”

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed