Wednesday, October 9, 2024
HomeMalwareHackers using KillDisk MBR-wiping Malware to Attack Bank’s SWIFT Money Transferring System

Hackers using KillDisk MBR-wiping Malware to Attack Bank’s SWIFT Money Transferring System

Published on

New KillDisk Malware hitting financial institutions in Latin America to attack SWIFT networks and gains access to the systems that connected to the bank with an infected organization.

Most of the Financial institutions are connected with SWIFT (Worldwide Interbank Financial Telecommunication’s network) network in worldwide to send and receive information about financial transactions in a secure, standardized and reliable environment.

Researchers analysis reveal that this is the new variant of the earlier version of KillDisk which is performing MBR-wiping in affected systems.

- Advertisement - EHA

Payload activities make difficult to determine that the attack was motivated by a cybercriminal campaign or coordinated attack.

KillDisk Malware Working Function

Based on the error message while testing this malware indicate that it initially affected the Victims machine’s boot sector.

It started the attack on may 2018 and during the analysis phase, it broke the boot sector when analyst ran into the test machine.

An initial analysis of the file revealed it was created using Nullsoft Scriptable Install System (NSIS), an open-source application used to create setup programs.

Malware authors named it “MBR Killer” for this application and malware sample was protected by VMProtect, A product to evade and defend against reverse engineering.

According to Trend Micro, it works in the following ways to compromise the victims and wiping the MBR.

  • It uses the application programming interface (API) CreateFileA to \\.\PHYSICALDRIVE0 to retrieve the handle of the hard disk.
  • It overwrites the first sector of the disk (512 bytes) with “0x00”. The first sector is the disk’s MBR.
  • It will try to perform the routines above (steps 1-2) on \\.\PHYSICALDRIVE1\\.\PHYSICALDRIVE2\\.\PHYSICALDRIVE3, and so on, as long as a hard disk is available.
  • It will then force the machine to shut down via the API ExitWindows.

KillDisk will wipe all the physical drive data after the complete infection using above routine.

When calling the APIs, the main executable will drop the component file %User Temp%/ns{5 random characters}.tmp/System.dll. The main executable will then load the dynamic-link library (DLL) file, which has the export function “Call” used to call for the APIs. Trend Micro said.

Also Read:

Beware of Prowli Malware that Compromised More Than 40,000 Victim Machines Around the World

More than 75% of Redis Servers Open to Internet are Infected With Malware

XMRig – New Cryptojacking Malware Attack on Apple Mac Devices

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Badge and CyberArk Announce Partnership to Redefine Privacy in PAM and Secrets Management

Partnership aims to help businesses eliminate vulnerable attack surfaces and provide a more streamlined...

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

Critical Automative 0-Day Flaws Let Attackers Gain Full Control Over Cars

Recent discoveries in the automotive cybersecurity landscape have unveiled a series of critical zero-day...

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...