Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

New Disk Wiping Malware Used in Attacks Against South Korea: Symantec

Earlier this week, security researchers at Symantec attributed parts of recent cyber-attacks against South Korea to a hacker crew known as DarkSeoul.

Earlier this week, security researchers at Symantec attributed parts of recent cyber-attacks against South Korea to a hacker crew known as DarkSeoul.

The same group is also believed to have connections to attacks against South Korea that occurred in March, which wiped numerous hard drives at South Korean banks and television stations.

On Thursday, Symantec said that its ongoing investigations into attacks against South Korea resulted in the discovery of a new threat that also has destructive data-wiping functions. 

The newly-discovered malware, which Symantec has named “Trojan.Korhigh”, is similar to previous data-wiping malware used in attacks against South Korea, and has the functionality to “systematically delete files and overwrite the Master Boot Record (MBR)” on the compromised computer, essentially rendering it useless.

The Trojan accepts several command line switches for added functionality, Symantec said in a blog post, such as changing user passwords on compromised computers to “highanon2013” or executing specific wipe instructions related to many different popular file types.

The malware may also change the desktop wallpaper to let the user know they have been compromised, Symantec said.

Trojan.Korhigh can also capture system information about infected systems, which it sends to IP addresses, that according to SecurityWeek’s research based on IPs provided by Symantec, are located in South Korea.

It has been an active week in terms of cyber threats in South Korea. Earlier this week, researchers from Seculert unveiled details on “PinkStats”, malware that was used in a string of attacks over the last four years, including many against South Korea and other organizations and nation-states. The most recent set of attacks targeted dozens of organizations in South Korea, Seculert said.

“We have identified numerous different campaigns since 2009 using the PinkStats attacking tool as the main download component. One of the latest operations targeted dozens of organizations in South Korea,” Seculert explained in their post.

Interestingly, the attacks this week against South Korea coincided on the anniversary of the start of the Korean War in 1950, an event that attackers observed by taking down websites for the South Korean president’s office and local newspapers.

In addition to attacking numerous websites, a report surfaced on Thursday that hackers had obtained and published personal details of more than two million South Korean ruling party workers and 40,000 U.S. troops, including those stationed in South Korea.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...