Security Experts:

South Korea Cyber Attacks Used Data-Wiping Trojan, Component to Wipe Linux Machines

While the motivation for the recent cyber-attacks against South Korean organizations remains unclear, researchers have identified the malware used as a data-wiping Trojan.

As SecurityWeek reported early Wednesday, several South Korean banks and local broadcasting organizations have been hit by cyber-attacks. A Korean Internet service provider's Web page was defaced with an elaborate animated image of three skulls and sound effects. A number of organizations reported their servers were crippled.

It's not clear at this point the source of the attack, or how the victims were infected with the malware. The attack was first noticed when customers couldn't access their online accounts and other sites were reported as being down, Symantec Security Response said.

Map of South Korea

"These attacks may be part of either a clandestine attack or the work of nationalistic hacktivists taking issues into their own hands," Symantec said.

The malware first kills two processes used by AhnLab Policy Agent and Hauri ViRobot, crippling the security software on the targeted computer. It then wipes the hard disks of infected computers and on any drives attached or mapped to the computer by overwriting the data with the string "PINCPES" or "HASTATI." Hastati refers to a class of infantry in the early Roman Republic, according to Jamie Blasco, manager of AlienVault Labs.

After the wipes are complete, the computers are forced to reboot, and since there is no data left on the hard disks, the computers are left in an unusable state, Symantec Security Response said. Symantec Security Response noted that disk wiping is not new in malicious attacks, as a malware caused similar type of damage to Middle Eastern oil and energy companies last year.

Wednesday afternoon, Symantec also discovered an additional component used in the attacks that is capable of wiping machines running Linux.

"The dropper for Trojan.Jokra contains a module for wiping remote Linux machines. We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat," Symantec explained in a blog post.  

The bash script ultimately used by the malware is a wiper designed to work with any Linux distribution, with specific commands for SunOS, AIX, HP-UX distributions, Symantec said. As such, it wipes out the /kernel, /usr, /etc, and /home directories. 

Unlike other recent attacks, this cyber-attack campaign appears to be focused on wiping data, not information theft, Zheng Bu, senior director of security research at FireEye, told SecurityWeek. "This attack is as much a cyber rampage as it is a cyber attack," Bu said.

While the group "Whois" team appears to be behind the attacks, the motivations at this time are unclear. At the moment, it is too soon tell if this is an isolated incident, part of a hacktivist operation, or part of a bigger cyber-war campaign, security experts said. If a nation-state is not behind the attacks, then it's "just" cyber-terrorism, since the attackers targeted banks, which are generally considered critical infrastructure, according to Kaspersky Lab.

But this episode also underscores how advanced malware attacks have become the method of choice, Bu noted. Past attackers have relied on distributed denial of service attacks, and now we have data-destroying malware.

Additional reporting by Mike Lennon

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.