Thursday, March 28, 2024

Hackers using KillDisk MBR-wiping Malware to Attack Bank’s SWIFT Money Transferring System

New KillDisk Malware hitting financial institutions in Latin America to attack SWIFT networks and gains access to the systems that connected to the bank with an infected organization.

Most of the Financial institutions are connected with SWIFT (Worldwide Interbank Financial Telecommunication’s network) network in worldwide to send and receive information about financial transactions in a secure, standardized and reliable environment.

Researchers analysis reveal that this is the new variant of the earlier version of KillDisk which is performing MBR-wiping in affected systems.

Payload activities make difficult to determine that the attack was motivated by a cybercriminal campaign or coordinated attack.

KillDisk Malware Working Function

Based on the error message while testing this malware indicate that it initially affected the Victims machine’s boot sector.

It started the attack on may 2018 and during the analysis phase, it broke the boot sector when analyst ran into the test machine.

An initial analysis of the file revealed it was created using Nullsoft Scriptable Install System (NSIS), an open-source application used to create setup programs.

Malware authors named it “MBR Killer” for this application and malware sample was protected by VMProtect, A product to evade and defend against reverse engineering.

According to Trend Micro, it works in the following ways to compromise the victims and wiping the MBR.

  • It uses the application programming interface (API) CreateFileA to \\.\PHYSICALDRIVE0 to retrieve the handle of the hard disk.
  • It overwrites the first sector of the disk (512 bytes) with “0x00”. The first sector is the disk’s MBR.
  • It will try to perform the routines above (steps 1-2) on \\.\PHYSICALDRIVE1\\.\PHYSICALDRIVE2\\.\PHYSICALDRIVE3, and so on, as long as a hard disk is available.
  • It will then force the machine to shut down via the API ExitWindows.

KillDisk will wipe all the physical drive data after the complete infection using above routine.

When calling the APIs, the main executable will drop the component file %User Temp%/ns{5 random characters}.tmp/System.dll. The main executable will then load the dynamic-link library (DLL) file, which has the export function “Call” used to call for the APIs. Trend Micro said.

Also Read:

Beware of Prowli Malware that Compromised More Than 40,000 Victim Machines Around the World

More than 75% of Redis Servers Open to Internet are Infected With Malware

XMRig – New Cryptojacking Malware Attack on Apple Mac Devices

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles