Trend Micro Incorporated, detected multiple cyber-attacks on South Korean banking corporations and media agencies. The incident began when corporate computer systems were shutdown and could not be rebooted, while others were showing images of a skull and a “warning”. As a result, business operations, ATMs, online banking, and TV broadcasts were disrupted.
Tactics used in these attacks resembles advanced target attacks, where spear-phishing emails were used to penetrate and compromise initial systems within these organisations. Upon penetration, attackers targeted critical IT infrastructures such as patch management servers, and public facing web sites, in preparation for a “waterhole attack” where these legitimate websites and servers are modified to inject malicious code onto connecting PCs.
Attackers hacked and loaded viruses onto sites they suspect attractive targets will visit. Compromised websites connected visiting clients to off-shore websites where malicious Trojan program, known as TROJ_KILLMBR.SM, was installed.
This program was responsible for taking down the infected systems by overwriting the Master Boot Record (MBR), thus paralysing system and business operations. Wiping the MBR, a form of self-destruct, is typically the last step in a targeted attack that makes investigation and recovery of these systems more difficult.
At least, they can still watch PSY while waiting for the tech guys to fix it.