A new version of the destructive KillDisk malware was observed earlier this year targeting organizations in Latin America, Trend Micro reports.
KillDisk has been around for several years, and was used in attacks targeting Ukraine’s energy sector in 2015, orchestrated by the Russia-linked threat actor BlackEnergy.
Initially designed to wipe hard drives and render systems inoperable, the malware received file-encrypting capabilities in late 2016, with a Linux-targeting variant of the ransomware spotted shortly after.
In January, Trend Micro security researchers observed a new variant of the malware in Latin America, and revealed that the threat was once again deleting files and wiping the disk.
One of the attacks, the security firm reveals, was related to a foiled heist on the organization’s system connected to the SWIFT network (Society for Worldwide Interbank Financial Telecommunication).
In May, the security firm observed a master boot record (MBR)-wiping malware in the region, with one of the impacted organizations being a bank “whose systems were rendered inoperable for several days.” The attack, however, was deemed a distraction, as the actor behind it was in fact focused on accessing systems connected to the bank’s local SWIFT network.
The researchers also discovered that the malware used in this attack was a new variant of KillDisk, based on the error message displayed by the affected systems (common to machines infected with MBR-wiping threats).
“The nature of this payload alone makes it difficult to determine if the attack was motivated by an opportunistic cybercriminal campaign or part of a coordinated attack like the previous attacks we observed last January,” Trend Micro says.
The malware used in the May attack was created using Nullsoft Scriptable Install System (NSIS), with the actor purposely naming it “MBR Killer.” Analysis of the sample revealed a routine to wipe the first sector of the machine’s physical disk.
The security researchers also say they haven’t found other new or notable routines in the sample and that no command-and-control (C&C) infrastructure or communication were observed. Furthermore, no ransomware-like routines were found in the malware, nor network-related behavior.
The threat can wipe all of the physical hard disks on the infected system. To wipe the MBR, it retrieves the handle of the hard disk, overwrites the first sector of the disk (512 bytes) with “0x00”, attempts the same routine on all hard disks, then forces the machine to shut down.
“The destructive capabilities of this malware, which can render the affected machine inoperable, underscore the significance of defense in depth: arraying security to cover each layer of the organization’s IT infrastructure, from gateways and endpoints to networks and servers,” Trend Micro notes.