Wiper Malware Threat Analysis
Contents
- Author: Dell SecureWorks Counter Threat Unit™ Threat Intelligence
- Date: 21 March 2013
Overview
On March 20, 2013, at approximately 14:00 KST (UTC+9), three major broadcasting companies and six of the major financial institutions in South Korea (Republic of Korea) reported cyber security incidents. The attacks caused outage and delay in critical systems at banks and media outlets.
Dell SecureWorks analysts acquired malware samples for further analysis. This report focuses on the technical analysis of the destructive malware samples and CTU researchers' analysis on open source intelligence.
Affected organizations
|Financial Sector companies||Media companies|
|NongHyup||KBS|
|Shinhan Bank||MBC|
|Jeju Bank||YTN|
|NongHyup Insurance (Subsidiary of NongHyup Financial group)|
|LotteCard (Shinhan Bank related)|
|Woori Bank|
Table 1. List of affected organizations (Source: SEWORKS)
Dell SecureWorks located a Korean article that one of the major ISP data centers (LG Uplus) may have been compromised, but no technical evidence was provided at publication time.
The South Korean government announced that more than 30,000 hosts (server and personal computers) are affected …
- Date: 21 March 2013
Overview
On March 20, 2013, at approximately 14:00 KST (UTC+9), three major broadcasting companies and six of the major financial institutions in South Korea (Republic of Korea) reported cyber security incidents. The attacks caused outage and delay in critical systems at banks and media outlets.
Dell SecureWorks analysts acquired malware samples for further analysis. This report focuses on the technical analysis of the destructive malware samples and CTU researchers' analysis on open source intelligence.
Affected organizations
|Financial Sector companies||Media companies|
|NongHyup||KBS|
|Shinhan Bank||MBC|
|Jeju Bank||YTN|
|NongHyup Insurance (Subsidiary of NongHyup Financial group)|
|LotteCard (Shinhan Bank related)|
|Woori Bank|
Table 1. List of affected organizations (Source: SEWORKS)
Dell SecureWorks located a Korean article that one of the major ISP data centers (LG Uplus) may have been compromised, but no technical evidence was provided at publication time.
The South Korean government announced that more than 30,000 hosts (server and personal computers) are affected …
IoC
0a8032cd6b4a710b1771a080fa09fb87
101.106.25.105
5fcd6e1dace6b0599429d913850f0364
6a702342e8d9911bde134129542a045b
9263e40d9823aecf9388b64de34eae54
db4bbdc36a78a8807ad9b15a562515c4
dc789dee20087c5e1552804492b042cd
e45cd9052dd3dd502685dfd9aa2575ca
101.106.25.105
5fcd6e1dace6b0599429d913850f0364
6a702342e8d9911bde134129542a045b
9263e40d9823aecf9388b64de34eae54
db4bbdc36a78a8807ad9b15a562515c4
dc789dee20087c5e1552804492b042cd
e45cd9052dd3dd502685dfd9aa2575ca