Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Malware Variant Discovered in South Korean Attacks

Researchers at Symantec have discovered a third “wiper” malware linked to the recent attacks in South Korea. The malware used during the attacks have been widely discussed by the research community and media over the last few days, and Symantec’s discovery adds more curiosity to the plot.

Researchers at Symantec have discovered a third “wiper” malware linked to the recent attacks in South Korea. The malware used during the attacks have been widely discussed by the research community and media over the last few days, and Symantec’s discovery adds more curiosity to the plot.

Aside from the attacks themselves, aimed at South Korean broadcasting and financial sectors, most of the discussions have centered on the malware discovered – including the fact that it’s destructive in nature and timed to wipe the targeted system completely depending on a set of variables. The wiping aspect is where the debate comes in to play, as completely destroying a system seems like a useless act on the part of an alleged state-sponsored aggressor.

The malware used in the attacks, named “Jokra” by Symantec, has two variants that were developed to wipe the compromised host immediately on execution. Another was set to execute and wipe the system on March 20, at 2:00 p.m. local time.

However, researchers discovered a third variant, which was set to wipe the host at 3:00 p.m. March 20, only this time the year didn’t matter. Where the others were only to activate in 2013, this latest variant isn’t dependent on the year at all.

Symantec wouldn’t speculate on what their latest discovery means, as it relates to the attack and ongoing research and investigations. However, the fact that a variant exists that didn’t rely on given year is almost to be expected since most major malware campaigns undergo several revisions. It’s also possible that this variant was an earlier creation, later scrapped in order to launch a more focused attack.

On Friday, South Korean official stepped back from their earlier accusation that an IP address used in the attack was hosted in China, reporting instead that the IP address was actually assigned to a computer in one of the targeted banks.

Investigators from the Korea Internet and Security Agency (KISA) said that the possibility that the attack originated abroad is still there however, as they are “tracking some dubious IP addresses.”

Last week’s attacks knocked KBA, MBC, and YTN TV stations off the air, and crippled operations at three banks.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.