The attacks on South Korea were caused by a virus that wiped the hard drives of infected computers and prevented them from booting up upon restart.
According to research by Fortinet, in this incident the hackers broke into the servers of the local anti-virus company and planted malware, which was then distributed as an update patch.
While details are sketchy on who was responsible, with fingers being pointed at both hacktivists and North Korea, evidence uncovered by Fortinet's Threat Response Team and the Korea Information Security Association found that some control and command (C&C) channels possibly involved in the wiper attack were registered by individuals with ties to other sites hosting typical Chinese exploit packs; but this is no indication that the Chinese are responsible.
Guillaume Lovet, senior manager of the FortiGuard labs threat response team at Fortinet, said that hackers had earlier stole administrator login information from security vendors' patch management server with some form of advanced persistent threat (APT).
“With the login information, the hackers created malware on the patch management server that masqueraded as a normal signature update file,†he said.
“This fake update file subsequently infected a large number of PCs all at once, deleting a Master Boot Record on each PC to prevent it from booting up normally. This malware, a Trojan-like virus, has been set to activate on March 20th at 2pm Korea time on the infected PCs.â€
Lovet admitted that it did not know how the virus got there in the first place, but said that it was possible that the affected networks were already part of one or several casual botnets, and that the attackers just purchased from the botnet owners the right to install their wiper malware.
He said: “Working with the Korea Information Security Association, Fortinet found evidence that the attacks were prepared way beforehand. The attackers were trying to infect as many systems as they could prior to the 2pm deadline. Then, at that time, everything would be destroyed in unison. The entire scheme was clearly thought out and premeditated.â€
Researchers at Symantec said a Trojan named ‘Jokra' was used in the attacks, which is capable of overwriting a computer's master boot record and all data stored on it. The Trojan also attempts to repeat this data-wiping process on any drives ‘attached or mapped to the compromised computer'.
Symantec said that further research showed that a wiper component that erases Linux machines was also evident.
Jaime Blasco, labs director at AlienVault, said: “If the goal of the attackers was to create panic, it means they did not have a specific list of victims. From my point of view, one of the easiest ways to gain access to several targets without having too much resources/skills would be: buy an exploit kit and a malware kit, hack into websites and redirect victims to your malicious infrastructure; or even better, rent a botnet(s) that have access to hundreds of computers and try to find victims inside interesting targets.â€
He said that analysis of one binary shows that it clears the DNS cache for Internet Explorer and modifies the etc/hosts file, adding new entries and when the victim resolves the South Korean bank's domain names included in the modified ‘etc/hosts' file, the domains will point to 103.14.114.156.
He said: “All the files we mentioned are from the same malware family for sure, they have very similar behaviours with some slight differences and their file names match with the list we found in the South Korean news. Some vendors call this family Win32.Morix.â€
