New disk wiper malware linked to attacks in South Korea, researchers say

The malware is similar to the one used against South Korean banks and TV broadcasters in March, Symantec researchers said

A new piece of malware designed to delete files from hard disk drives and render computers unable to boot targets South Korean users, according to researchers from security firm Symantec.

The malware is similar to the Jokra Trojan program that was used in March to wipe the hard drives of computers belonging to several banks and TV broadcasters in South Korea, leading to significant disruptions of their operations.

The attack in March was attributed by security experts to a hacker gang called "DarkSeoul" that's also believed to be responsible for the distributed denial-of-service attacks from Tuesday against South Korean websites, including that of South Korean President Park Guen-hye.

The new hard-drive wiper malware is called Trojan.Korhigh and was found by Symantec researchers during their investigations into cyberattacks in South Korea. "Trojan.Korhigh has the functionality to systematically delete files and overwrite the Master Boot Record (MBR) on the compromised computer, rendering it unusable," the Symantec researchers said Thursday in a blog post.

The Master Boot Record (MBR) resides at the beginning of a storage drive and contains information about how that drive is partitioned. It also includes boot code that runs before the operating system starts. If the MBR is missing, a computer will no longer be able to load the operating system.

In addition to overwriting the MBR on compromised computers, the Korhigh Trojan program can also wipe files with specific extensions, including executable files, libraries, Web pages, videos and images.

The malware can also be instructed to change the user passwords on the infected computers to highanon2013 and to replace the desktop wallpaper with an image that mentions a group called High Anonymous.

Korhigh gathers information such as the operating system version, the computer's name and the current date from infected computers and uploads the data to remote servers, the Symantec researchers said.

South Korean officials frequently blame North Korean hackers for cyberattacks against local organizations and websites. However, there is also technical evidence linking some computer attacks in South Korea to Chinese-speaking hacker groups.

Earlier this week, researchers from Israeli security firm Seculert reported that a piece of malware called PinkStats has been used by Chinese hackers to compromise over 1,000 computers belonging to dozens of organizations in South Korea, including many educational institutions.

The identities of the attackers behind the Korhigh Trojan program cannot be confirmed, the Symantec researchers said, noting that their investigation of the threat continues.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies