Monday, June 17, 2024

Hackers using KillDisk MBR-wiping Malware to Attack Bank’s SWIFT Money Transferring System

New KillDisk Malware hitting financial institutions in Latin America to attack SWIFT networks and gains access to the systems that connected to the bank with an infected organization.

Most of the Financial institutions are connected with SWIFT (Worldwide Interbank Financial Telecommunication’s network) network in worldwide to send and receive information about financial transactions in a secure, standardized and reliable environment.

Researchers analysis reveal that this is the new variant of the earlier version of KillDisk which is performing MBR-wiping in affected systems.

Payload activities make difficult to determine that the attack was motivated by a cybercriminal campaign or coordinated attack.

KillDisk Malware Working Function

Based on the error message while testing this malware indicate that it initially affected the Victims machine’s boot sector.

It started the attack on may 2018 and during the analysis phase, it broke the boot sector when analyst ran into the test machine.

An initial analysis of the file revealed it was created using Nullsoft Scriptable Install System (NSIS), an open-source application used to create setup programs.

Malware authors named it “MBR Killer” for this application and malware sample was protected by VMProtect, A product to evade and defend against reverse engineering.

According to Trend Micro, it works in the following ways to compromise the victims and wiping the MBR.

  • It uses the application programming interface (API) CreateFileA to \\.\PHYSICALDRIVE0 to retrieve the handle of the hard disk.
  • It overwrites the first sector of the disk (512 bytes) with “0x00”. The first sector is the disk’s MBR.
  • It will try to perform the routines above (steps 1-2) on \\.\PHYSICALDRIVE1\\.\PHYSICALDRIVE2\\.\PHYSICALDRIVE3, and so on, as long as a hard disk is available.
  • It will then force the machine to shut down via the API ExitWindows.

KillDisk will wipe all the physical drive data after the complete infection using above routine.

When calling the APIs, the main executable will drop the component file %User Temp%/ns{5 random characters}.tmp/System.dll. The main executable will then load the dynamic-link library (DLL) file, which has the export function “Call” used to call for the APIs. Trend Micro said.

Also Read:

Beware of Prowli Malware that Compromised More Than 40,000 Victim Machines Around the World

More than 75% of Redis Servers Open to Internet are Infected With Malware

XMRig – New Cryptojacking Malware Attack on Apple Mac Devices

Website

Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles