U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New KillDisk variant targets Windows machines in financial organizations in Latin America

A new variant of the infamous disk-wiper malware KillDisk has been spotted by malware researchers at Trend Micro while targeting financial organizations in Latin America. A new variant of the infamous disk-wiper malware KillDisk has been spotted by malware researchers at Trend Micro. This variant of KillDisk, tracked as TROJ_KILLDISK.IUB, was involved in cyber attacks against financial […]

New KillDisk variant targets Windows machines in financial organizations in Latin America

A new variant of the infamous disk-wiper malware KillDisk has been spotted by malware researchers at Trend Micro while targeting financial organizations in Latin America.

A new variant of the infamous disk-wiper malware KillDisk has been spotted by malware researchers at Trend Micro. This variant of KillDisk, tracked as TROJ_KILLDISK.IUB, was involved in cyber attacks against financial organizations in Latin America, it is delivered by a different piece of malware or it may be part of a bigger attack.

“We came across a new variant of the disk-wiping KillDisk targeting financial organizations in Latin America.” reads a preliminary analysis published by TrendMicro.

“Because KillDisk overwrites and deletes files (and doesn’t store the encryption keys on disk or online), recovering the scrambled files was out of the question.”

KillDisk and the ICS-SCADA malware BlackEnergy, were used in the attacks that caused the power outage in Ukraine in December 2015.

It was used in the same period also against mining companies, railways, and banks in Ukraine. The malware was later included in other malicious codes, including Petya.

In December 2016, researchers at security firm CyberX discovered a variant of the KillDisk malware that implemented ransomware features.

This latest variant targets Windows machines deleting any file stored on drives, except for system files and folders.

“The malware attempts to wipe \\.\PhysicalDrive0 to \\.\PhysicalDrive4. It reads the Master Boot Record (MBR) of every device it successfully opens and proceeds to overwrite the first 0x20 sectors of the device with “0x00”. It uses the information from the MBR to do further damage to the partitions it lists.” states Trend Micro. “If the partition it finds is not an extended one, it overwrites the first 0x10 and last sectors of the actual volume. If it finds an extended partition, it will overwrite the Extended Boot Record (EBR) along with the two extra partitions it points to.”

Once the malware has deleted and overwritten files and folders it attempts to terminate several processes to force the machine reboots.

The processed targeted by the malware are:

  • Client/server run-time subsystem (csrss.exe)
  • Windows Start-Up Application (wininit.exe)
  • Windows Logon Application (winlogon.exe)
  • Local Security Authority Subsystem Service (lsass.exe)

Trend Micro is still investigating this news KillDisk variant, meantime it is inviting companies to adopt a “defense in depth” approach securing the perimeters from gateways, endpoints, and networks to servers.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – KillDisk , wiper)

[adrotate banner=”5″]

[adrotate banner=”13″]