IT security vendor Trend Micro Incorporated detected multiple cyberattacks on South Korean banking corporations and media agencies early this week. The incident began when corporate computer systems were shutdown and could not be rebooted, while others were showing images of a skull and a “warning”. As a result, business operations, ATMs, online banking, and TV broadcasts were disrupted.
Tactics used in these attacks resembles advanced target attacks, where spear-phishing emails were used to penetrate and compromise initial systems within these organizations. Upon penetration, attackers targeted critical IT infrastructures such as patch management servers, and public facing web sites, in preparation for a “waterhole attack” where these legitimate websites and servers are modified to inject malicious code onto connecting PCs. Like a lion waiting for speedy gazelles to slow down and have a drink, attackers hacked and loaded viruses onto sites they suspect attractive targets will visit.
Compromised websites connected visiting clients to off-shore websites where malicious Trojan program, known as TROJ_KILLMBR.SM, was installed.
This program was responsible for taking down the infected systems by overwriting the Master Boot Record (MBR), thus paralyzing system and business operations. Wiping the MBR, a form of self-destruct, is typically the last step in a targeted attack that makes investigation and recovery of these systems more difficult.
In a statement, Trend Micro said it has predicted a significant increase in cyber-attacks, and has been working with their customers and partners in the region to provide custom defense for the last several years. As a result of this investment, Trend Micro customers are protected in this series of attacks.
Customers using Trend Micro Deep Discovery were alerted on March 19th. The Deep Discovery Inspector and Deep Discovery Advisor heuristically detected malicious traffic and email (through the names of HEUR_NAMETRICK.B). As of March 20th, the malicious files and websites involved in these attacks are also detected and blocked by other Trend Micro solutions.
For further information on this threat, please check out the Trend Micro blog[link].