Tag Archives: Trojan.Jokra

South Korean Banks and Broadcasting Organizations Suffer Major Damage from Cyber Attack

It has been reported in the media that several South Korean banks and local broadcasting organizations have been impacted by a cyber attack.

The attack included the defacement of a Korean ISP/telecoms provider and also the crippling of servers belonging to a number of organizations.

The defacement displays an elaborate animated Web page with sound effects, showing three skulls and included a message by the claimed attackers calling themselves the “Whois” team.

The attack was first noticed when a number of websites began to experience problems. Customers of banks could not access their online accounts and reports of other sites being down began to surface. While specific details are not known at this time, it has been reported that a number of sites affected had their hard drives wiped leaving the affected computers in a crippled state.

Symantec detects the suspected malware as Trojan Horse/Trojan.Jokra and WS.Reputation.1.

We are currently performing detailed analysis of it.  At this time, we can confirm that the malware performs the following actions:

  • Creates a file mapping object to reference itself using the name: JO840112-CRAS8468-11150923-PCI8273V
  • Kills two processes relating to local antivirus/security product vendors:
    • pasvc.exe
    • clisvc.exe
  • Enumerates all drives and begins to overwrite MBR and any data stored on it by writing the either the string “PRINCPES” or “HASTATI”. This will wipe all contents of the hard disk.
  • The threat may also attempt to perform the same wiping actions on any drives attached or mapped to the compromised computer.
  • Forces the computer to reboot by executing “shutdown -r -t 0” which renders the system unusable as MBR and contents of the drive is now missing.

The results of the disk wiping actions are consistent with the major outages reported in that region. Disk wiping is not a new activity, in a separate incident in August 2012, a number of middle eastern organizations were hit by the W32.Disttrack (Shamoon) threat which caused a similar type of damage by wiping hard disks.  

There are currently no indications of the source of this attack or how the attackers infiltrated the affected parties. The real motives of the attack are also unclear but in recent times there has been a ramping up of political tensions in the Korean peninsula and these attacks may be part of either a clandestine attack or the work of nationalistic hacktivists taking issues into their own hands.

Symantec will publish further information as it becomes available.