Connect with us

Hi, what are you looking for?


Malware & Threats

South Korea Cyber Attacks Used Data-Wiping Trojan, Component to Wipe Linux Machines

While the motivation for the recent cyber-attacks against South Korean organizations remains unclear, researchers have identified the malware used as a data-wiping Trojan.

While the motivation for the recent cyber-attacks against South Korean organizations remains unclear, researchers have identified the malware used as a data-wiping Trojan.

As SecurityWeek reported early Wednesday, several South Korean banks and local broadcasting organizations have been hit by cyber-attacks. A Korean Internet service provider’s Web page was defaced with an elaborate animated image of three skulls and sound effects. A number of organizations reported their servers were crippled.

It’s not clear at this point the source of the attack, or how the victims were infected with the malware. The attack was first noticed when customers couldn’t access their online accounts and other sites were reported as being down, Symantec Security Response said.

Map of South Korea

“These attacks may be part of either a clandestine attack or the work of nationalistic hacktivists taking issues into their own hands,” Symantec said.

The malware first kills two processes used by AhnLab Policy Agent and Hauri ViRobot, crippling the security software on the targeted computer. It then wipes the hard disks of infected computers and on any drives attached or mapped to the computer by overwriting the data with the string “PINCPES” or “HASTATI.” Hastati refers to a class of infantry in the early Roman Republic, according to Jamie Blasco, manager of AlienVault Labs.

After the wipes are complete, the computers are forced to reboot, and since there is no data left on the hard disks, the computers are left in an unusable state, Symantec Security Response said. Symantec Security Response noted that disk wiping is not new in malicious attacks, as a malware caused similar type of damage to Middle Eastern oil and energy companies last year.

Wednesday afternoon, Symantec also discovered an additional component used in the attacks that is capable of wiping machines running Linux.

“The dropper for Trojan.Jokra contains a module for wiping remote Linux machines. We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat,” Symantec explained in a blog post.  

Advertisement. Scroll to continue reading.

The bash script ultimately used by the malware is a wiper designed to work with any Linux distribution, with specific commands for SunOS, AIX, HP-UX distributions, Symantec said. As such, it wipes out the /kernel, /usr, /etc, and /home directories. 

Unlike other recent attacks, this cyber-attack campaign appears to be focused on wiping data, not information theft, Zheng Bu, senior director of security research at FireEye, told SecurityWeek. “This attack is as much a cyber rampage as it is a cyber attack,” Bu said.

While the group “Whois” team appears to be behind the attacks, the motivations at this time are unclear. At the moment, it is too soon tell if this is an isolated incident, part of a hacktivist operation, or part of a bigger cyber-war campaign, security experts said. If a nation-state is not behind the attacks, then it’s “just” cyber-terrorism, since the attackers targeted banks, which are generally considered critical infrastructure, according to Kaspersky Lab.

But this episode also underscores how advanced malware attacks have become the method of choice, Bu noted. Past attackers have relied on distributed denial of service attacks, and now we have data-destroying malware.

Additional reporting by Mike Lennon

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...