Hackers using KillDisk MBR-wiping Malware to Attack Bank’s SWIFT Money Transferring System

New KillDisk Malware hitting financial institutions in Latin America to attack SWIFT networks and gains access to the systems that connected to the bank with an infected organization.

Most of the Financial institutions are connected with SWIFT (Worldwide Interbank Financial Telecommunication’s network) network in worldwide to send and receive information about financial transactions in a secure, standardized and reliable environment.

Researchers analysis reveal that this is the new variant of the earlier version of KillDisk which is performing MBR-wiping in affected systems.

Payload activities make difficult to determine that the attack was motivated by a cybercriminal campaign or coordinated attack.

KillDisk Malware Working Function

Based on the error message while testing this malware indicate that it initially affected the Victims machine’s boot sector.

It started the attack on may 2018 and during the analysis phase, it broke the boot sector when analyst ran into the test machine.

An initial analysis of the file revealed it was created using Nullsoft Scriptable Install System (NSIS), an open-source application used to create setup programs.

Malware authors named it “MBR Killer” for this application and malware sample was protected by VMProtect, A product to evade and defend against reverse engineering.

According to Trend Micro, it works in the following ways to compromise the victims and wiping the MBR.

• It uses the application programming interface (API) CreateFileA to \\.\PHYSICALDRIVE0 to retrieve the handle of the hard disk.

• It overwrites the first sector of the disk (512 bytes) with “0x00”. The first sector is the disk’s MBR.

• It will try to perform the routines above (steps 1-2) on \\.\PHYSICALDRIVE1, \\.\PHYSICALDRIVE2, \\.\PHYSICALDRIVE3, and so on, as long as a hard disk is available.

• It will then force the machine to shut down via the API ExitWindows.

KillDisk will wipe all the physical drive data after the complete infection using above routine.

When calling the APIs, the main executable will drop the component file %User Temp%/ns{5 random characters}.tmp/System.dll. The main executable will then load the dynamic-link library (DLL) file, which has the export function “Call” used to call for the APIs. Trend Micro said.

Also Read:

Beware of Prowli Malware that Compromised More Than 40,000 Victim Machines Around the World

More than 75% of Redis Servers Open to Internet are Infected With Malware

XMRig – New Cryptojacking Malware Attack on Apple Mac Devices