Video Screencast Help

Different Wipers Identified in South Korean Cyberattack

Created: 23 Mar 2013 01:36:26 GMT • Updated: 23 Jan 2014 18:08:41 GMT • Translations available: 日本語
Symantec Security Response's picture
+3 3 Votes
Login to vote

Our analysis of Trojan.Jokra, the threat which recently caused major outages within the Korean Broadcasting and Banking sectors, has produced another wiper.

Security researchers the past few days have been discussing the wiper component found in this Trojan, specifically different wiper versions and the timings involved. We have seen the following strings used in four different variants:

  • PRINCIPES
  • HASTATI
  • PR!NCPES
  • HASTATI and PR!NCPES in combination
  • PRINCPES

Three wipers are packaged as a position-independent executable (PIE) and a fourth as a dynamic-link library (DLL) injection. There are also some differences in regard to the timing.
 

table1.jpg

Table. Trojan.Jokra wipers
 

Two of the wipers were instructed to immediately wipe upon execution. Another was instructed to wipe specifically at 2 PM on March 20, 2013. We have recently come across another sample (530c95eccdbd1416bf2655412e3dddb) that wipes at 3 PM on March 20, independent of year.
 

image1.jpg

Figure. Trojan.Jokra wiper countdown
 

To ensure that your machine is protected from Trojan.Jokra and other threats, please ensure that your computer has the latest patches installed and that you have the most up-to-date antivirus definitions installed.