New KillDisk malware variant caught targeting financial institutions in Latin America

• MBR-wiping malware targeting systems in the region detected in May 2017.
• KillDisk is designed to completely wipe out all hard disks in the targeted system.
• Attackers attempted to access local SWIFT network.

A new variant of the disk-wiping malware, KillDisk, has been discovered targeting financial institutions in Latin America. According to security researchers at Trend Micro, the attacks leveraging the new malware is believed to have begun in January.

One of the attacks was traced back to an attempted heist, researchers said. The unsuccessful attempt involved the targeting of an unnamed Latin American financial institution’s systems, which was connected to the SWIFT network.

In May 2017, researchers detected an MBR-wiping malware targeting systems in the region. One of the organizations targeted was a bank whose systems were rendered completely inoperable for an entire week after the attack. However, according to Trend Micro, the attack was only a distraction while the hackers’ real objective was to gain access to the list of systems connected to the bank’s local SWIFT network.

“The telltale sign was a problem related to the affected machine’s boot sector. Based on the error message it displayed after our tests, we were able to ascertain that this was another — possibly new — variant of KillDisk,” Trend Micro researchers wrote in a blog. “This kind of notification is common in systems affected by MBR-wiping threats and not in other malware types such as ransomware, which some people initially believed to be the culprit.”

What can KillDisk do?

The new malware variant, which researchers believe was created using the Nullsoft Scriptable Install System (NSIS), is quite similar to other disk-wiping malware samples. KillDisk is designed to completely wipe out all hard disks in the targeted system and is also capable of rendering a system completely inoperable.

However, Trend Micro researchers noted that the new KillDisk variant’s C2 infrastructure has no encoded ransomware-like routines or any other network-related behaviour. In other words, the malware authors appear to have not updated the malware with any additional skills - a common technique used among many threat actors these days.

Who is behind it?

According to Trend Micro researchers, the nature of the malware’s payload is such that identifying the motivation and identity of the hackers behind KillDisk was difficult.

“The nature of this payload alone makes it difficult to determine if the attack was motivated by an opportunistic cybercriminal campaign or part of a coordinated attack like the previous attacks we observed last January,” researchers noted.

How can you stay safe?

There are various security measures that organizations can implement to avoid falling victim to malware.

Address security gaps - It is important that organizations address any and all security gaps in their systems and networks. For instance, creating responsible patching policies can help ensure that necessary patches are regularly implemented. Regularly backing up data, as well as disabling outdated systems, is also vital and can make all the difference when dealing with a security incident.

Secure critical infrastructure - It is imperative that organizations secure data storage systems, which contain sensitive corporate and personal data. For example, SWIFT has incorporated measures such as vulnerability scanning, applications’ integrity monitoring, applications controls and more.

Restricted access - Organizations must also consider limiting access to critical data and administrative tools to ensure that administrative privileges as well as important data remain in safe and trusted hands.

Incident response strategy - It is vital that all organizations have a responsible and practical incident response strategy in place that provide actionable threat intelligence, which can help security teams search for, identify, analyse and respond to threats.