Security Experts:

New Disk Wiping Malware Used in Attacks Against South Korea: Symantec

Earlier this week, security researchers at Symantec attributed parts of recent cyber-attacks against South Korea to a hacker crew known as DarkSeoul.

The same group is also believed to have connections to attacks against South Korea that occurred in March, which wiped numerous hard drives at South Korean banks and television stations.

On Thursday, Symantec said that its ongoing investigations into attacks against South Korea resulted in the discovery of a new threat that also has destructive data-wiping functions. 

The newly-discovered malware, which Symantec has named “Trojan.Korhigh”, is similar to previous data-wiping malware used in attacks against South Korea, and has the functionality to “systematically delete files and overwrite the Master Boot Record (MBR)" on the compromised computer, essentially rendering it useless.

The Trojan accepts several command line switches for added functionality, Symantec said in a blog post, such as changing user passwords on compromised computers to "highanon2013" or executing specific wipe instructions related to many different popular file types.

The malware may also change the desktop wallpaper to let the user know they have been compromised, Symantec said.

Trojan.Korhigh can also capture system information about infected systems, which it sends to IP addresses, that according to SecurityWeek’s research based on IPs provided by Symantec, are located in South Korea.

It has been an active week in terms of cyber threats in South Korea. Earlier this week, researchers from Seculert unveiled details on “PinkStats”, malware that was used in a string of attacks over the last four years, including many against South Korea and other organizations and nation-states. The most recent set of attacks targeted dozens of organizations in South Korea, Seculert said.

“We have identified numerous different campaigns since 2009 using the PinkStats attacking tool as the main download component. One of the latest operations targeted dozens of organizations in South Korea,” Seculert explained in their post.

Interestingly, the attacks this week against South Korea coincided on the anniversary of the start of the Korean War in 1950, an event that attackers observed by taking down websites for the South Korean president's office and local newspapers.

In addition to attacking numerous websites, a report surfaced on Thursday that hackers had obtained and published personal details of more than two million South Korean ruling party workers and 40,000 U.S. troops, including those stationed in South Korea.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.