Threat Geek

Yesterday brought news that a cyber attack caused widespread data destruction in the South Korean banking and media sectors. Researchers at General Dynamics Fidelis Cybersecurity Solutions obtained a copy of the malware involved in the attack and have some preliminary results to share. Our compliments to the talented folks at Alien Vault Labs, whose research on this subject can be viewed on their blog.

For purposes of our research, we’ll call this specimen “239ed75323.exe." It’s a malicious file capable of wiping data in disk drives. One of the areas it targets is the disk’s Master Boot Record (MBR), without which a computer cannot load its operating system. Multiple variants of this malware were observed in the community.

The malware writes a 512 bytes pattern to the disk. This pattern contains a repeating pattern of the word “HASTATI."

It was observed that the malware didn’t overwrite this pattern over the whole disk, so there is still data that can be recovered. We will release further information on a recovery process in an advisory to follow shortly.

The malware also tries to shut down security tools from the following two South Korean companies:

     - AhnLab, Inc. (AhnLab Policy Agent process)

     - HAURI Inc. (ViRobot ISMS process)

The file we examined has the following attributes:

         File Size:  24576 bytes
         MD5: 5fcd6e1dace6b0599429d913850f0364
         SHA1: 9f69da40dda6367789041aaff01cf61d562b7c21
         PE Time: 0x510A4706 [Thu Jan 31 10:27:18 2013 UTC]
         Sections (3):
           Name      Entropy MD5
           .text     5.42    0dcfb44a4e0fe644774322087d904c8e
           .rdata   2.97     95998eb10fd4f37dae63af28f22e1c97
           .data    0.58    0962d66235e80031b7bcfcbdb4335546

         At time of analysis, antivirus tools identified the file as follows:

Reversing the file revealed some of the following code responsible for writing the wiping pattern to the disk:

General Dynamics Fidelis Cybersecurity Solutions researchers detonated the malware in a controlled environment and confirmed it does indeed overwrite the disk with a repeating “HASTATI” pattern. The following will show the area in the VMDK disk before and after it was overwritten with the pattern:

First area at disk offset 0x3D0000 (location of MBR in virtual disk):

(before)

(after)

Second area at disk offset 0x3D7000 (location of VBR in virtual disk):

(before)

(after)

According to Wikipedia, the word “HASTATI” refers to “a class of infantry in the armies of the early Roman Republic who originally fought as spearmen, and later as swordsmen. They were originally some of the poorest men in the legion, and could afford only modest equipment, light amour and a large shield, in their service as the lighter infantry of the legion. Later, the Hastati contained the younger men rather than just the poorer, though most men of their age were relatively poor. Their usual position was the front battle line of the legion. They fought in a quincunx formation, supported by light troops.” J. Rickard, writing in a December 2002 article on HistoryOfWar.org, adds “the Hastati were expected to take the first clash of battle and blunt the enemy attack before the second line, the Principes took over and won the battle.”

The following are the two processes the malware tries to shutdown/kill:

“pasvc.exe”

• Command executed: “taskkill /F /IM pasvc.exe”
• Online research associates the “pasvc.exe” with a process from a company called AhnLab, Inc.
• AhnLab, Inc. is a security software company in South Korea. The company sells antivirus software.
• In specific, online research suggests that this process is associated with the AhnLab Policy Agent process.

“Clisvc.exe”

• Command executed: “taskkill /F /IM Clisvc.exe”
• Online research associates the “Clisvc.exe” with a process from a company called HAURI Inc.
• HAURI Inc. is a security software company in South Korea.
• In specific, online research suggests that this process is associated with the HAURI Inc. ViRobot ISMS security tool.

Researchers from the General Dynamics Fidelis Cybersecurity Solutions Network Defense and Forensics and Threat Research teams continue to monitor and study this event. Results of our research into a process for recovering a system infected by this attack will be released shortly.

Further Reading:

Alien Vault Labs:  Information about the South Korean banks and media systems attacks
http://labs.alienvault.com/labs/index.php/2013/information-about-the-south-korean-banks-and-media-systems-attacks/

Dark Reading: 'Loud' Data-Annihilation Cyberattacks Hit South Korean Banks, Media Outlets
http://www.darkreading.com/database-security/167901020/security/attacks-breaches/240151292/loud-data-annihilation-cyberattacks-hit-south-korean-banks-media-outlets.html

Naked Security: DarkSeoul: SophosLabs identifies malware used in South Korean internet attack
http://nakedsecurity.sophos.com/2013/03/20/south-korea-cyber-attack/

SecureList: South Korean 'Whois Team' attacks
http://www.securelist.com/en/blog/208194183/South_Korean_Whois_Team_attacks