Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

New Disk Wiping Malware Used in Attacks Against South Korea: Symantec

Earlier this week, security researchers at Symantec attributed parts of recent cyber-attacks against South Korea to a hacker crew known as DarkSeoul.

Earlier this week, security researchers at Symantec attributed parts of recent cyber-attacks against South Korea to a hacker crew known as DarkSeoul.

The same group is also believed to have connections to attacks against South Korea that occurred in March, which wiped numerous hard drives at South Korean banks and television stations.

On Thursday, Symantec said that its ongoing investigations into attacks against South Korea resulted in the discovery of a new threat that also has destructive data-wiping functions. 

The newly-discovered malware, which Symantec has named “Trojan.Korhigh”, is similar to previous data-wiping malware used in attacks against South Korea, and has the functionality to “systematically delete files and overwrite the Master Boot Record (MBR)” on the compromised computer, essentially rendering it useless.

The Trojan accepts several command line switches for added functionality, Symantec said in a blog post, such as changing user passwords on compromised computers to “highanon2013” or executing specific wipe instructions related to many different popular file types.

The malware may also change the desktop wallpaper to let the user know they have been compromised, Symantec said.

Trojan.Korhigh can also capture system information about infected systems, which it sends to IP addresses, that according to SecurityWeek’s research based on IPs provided by Symantec, are located in South Korea.

It has been an active week in terms of cyber threats in South Korea. Earlier this week, researchers from Seculert unveiled details on “PinkStats”, malware that was used in a string of attacks over the last four years, including many against South Korea and other organizations and nation-states. The most recent set of attacks targeted dozens of organizations in South Korea, Seculert said.

Advertisement. Scroll to continue reading.

“We have identified numerous different campaigns since 2009 using the PinkStats attacking tool as the main download component. One of the latest operations targeted dozens of organizations in South Korea,” Seculert explained in their post.

Interestingly, the attacks this week against South Korea coincided on the anniversary of the start of the Korean War in 1950, an event that attackers observed by taking down websites for the South Korean president’s office and local newspapers.

In addition to attacking numerous websites, a report surfaced on Thursday that hackers had obtained and published personal details of more than two million South Korean ruling party workers and 40,000 U.S. troops, including those stationed in South Korea.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.