A new variant of the infamous disk-wiper malware KillDisk has been spotted by malware researchers at Trend Micro while targeting financial organizations in Latin America.
A new variant of the infamous disk-wiper malware KillDisk has been spotted by malware researchers at Trend Micro. This variant of KillDisk, tracked as TROJ_KILLDISK.IUB, was involved in cyber attacks against financial organizations in Latin America, it is delivered by a different piece of malware or it may be part of a bigger attack.
“We came across a new variant of the disk-wiping KillDisk targeting financial organizations in Latin America.” reads a preliminary analysis published by TrendMicro.
“Because KillDisk overwrites and deletes files (and doesn’t store the encryption keys on disk or online), recovering the scrambled files was out of the question.”
KillDisk and the ICS-SCADA malware BlackEnergy, were used in the attacks that caused the power outage in Ukraine in December 2015.
In December 2016, researchers at security firm CyberX discovered a variant of the KillDisk malware that implemented ransomware features.
This latest variant targets Windows machines deleting any file stored on drives, except for system files and folders.
“The malware attempts to wipe \\.\PhysicalDrive0 to \\.\PhysicalDrive4. It reads the Master Boot Record (MBR) of every device it successfully opens and proceeds to overwrite the first 0x20 sectors of the device with “0x00”. It uses the information from the MBR to do further damage to the partitions it lists.” states Trend Micro. “If the partition it finds is not an extended one, it overwrites the first 0x10 and last sectors of the actual volume. If it finds an extended partition, it will overwrite the Extended Boot Record (EBR) along with the two extra partitions it points to.”
Once the malware has deleted and overwritten files and folders it attempts to terminate several processes to force the machine reboots.
The processed targeted by the malware are:
Client/server run-time subsystem (csrss.exe)
Windows Start-Up Application (wininit.exe)
Windows Logon Application (winlogon.exe)
Local Security Authority Subsystem Service (lsass.exe)
Trend Micro is still investigating this news KillDisk variant, meantime it is inviting companies to adopt a “defense in depth” approach securing the perimeters from gateways, endpoints, and networks to servers.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.