Blog

More Insights on the Recent Korean Cyber Attacks (Trojan.Hastati)

It is interesting to see how this malware attack in Korea focuses on wiping and destruction rather than information or data stealing. This attack is as much a cyber rampage as it is a cyber attack. In the past, attackers resorted to DDoS to take out a nation’s infrastructure, such as the 2007 attack in Estonia or the 2012 attack on American banks by a group claiming to be Iranian hacktivists.

The malware attack not only corrupts the master boot record (MBR), but also deletes the disk contents through direct access to PhysicalDrive, thus rendering the computer useless.

Additionally, the malware is time-based. This means that the malware was set to launch at a specific time: “14:00-20-Mar-2013.” Then the malware would check for a Windows version and launch a thread, which writes directly to the hard disk, thereby corrupting the MBR. Finally, it had evasion capabilities. The malware also checked for AhnLabs anti-virus—a Korean product—and disabled it. This indicates that the attackers were explicitly targeting Korea. FireEye detects these malware attacks as Trojan.Hastati.

Technical Analysis

Korea was recently the target of mass cyber attacks. These attacks mainly affected banks and TV stations in Korea, rendering machines unusable.

In the samples we analyzed, “HASTATI” and “PRINCPES” were the two strings used by the malware. It is interesting to note that both these keywords seem to reference Roman armies. The PRINCPES string seems to be a spelling mistake and we speculate that it was actually a reference to the word “Principes”.(http://en.wikipedia.org/wiki/Hastati,http://en.wikipedia.org/wiki/Principes)

The malware has a timer and will activate itself only if the date and time is March 20, 2:00 PM or later. The malware essentially achieves this by polling the GetLocalTime API. Upon activation the malware terminates the following processes as shown in figure 1.0.

1)  taskkill /F /IM pasvc.exe [AhnLab client]

2)  taskkill /F /IM Clisvc.exe

The process pasvc.exe is the AhnLab client. AhnLab is a very popular AV in Korea. This leads us to believe that the malware is  targeting Korea.

kor1

Figure 1.0 Killing Process pasvc.exe

If the operating system version of the compromised machine is windows vista or above, then the malware enumerates all files on the system and overwrites the files using the keyword “HASTATI” or “PRINCPES”, depending on the sample. It then goes on to delete the overwritten files to make data unrecoverable. On pre-vista OS, the malware overwrites fixed logical drives. This behavior is shown in figure 2.0.

kor2

Figure 2.0

The figure below shows how the malware is enumerating all the physical drives to overwrite the MBR.

Figure 3.0 Enumerating Physical drives for changing MBR

Figure 3.0 Enumerating Physical drives for changing MBR

In the following image we can see how the MBR is corrupted using “HASTATI” keyword making it practically unusable.

Figure 4.0 Modified MBR

Figure 4.0 Modified MBR

Finally, the Winexec API is called to shutdown the system using “shutdown -r -t 0″ as shown in the figure below.

Figure 5.0 Malware shutting down system

Figure 5.0 Malware shutting down system

To summarize, based upon our analysis the recent outbreak in Korea does not seem to be a sophisticated malware. Its main activity is limited to corrupting the hard disk.

For the benefit of the security community and others involved in the detection and remediation of this outbreak, we are providing a YARA rule to help them with their efforts.

rule Trojan_Hastati{

meta:

description = “Korean campaign”

strings:

$str11 = “taskkill /F /IM clisvc.exe” nocase ascii wide

$str2  = “taskkill /F /IM pasvc.exe” nocase ascii wide

$str3  = “shutdown -r -t 0″ nocase ascii wide

condition:

all of them

}

This post was written by FireEye researchers Sai, Yasir, Abhishek & Vinay