On March 20, several attacks hit various South Korean government agencies and corporations, resulting in major disruptions to their operations. The incident started when several of their computer screens went black, while others were showing images of a skull and a “warning”.
However, Trend Micro was able to protect our enterprise users in Korea against this threat. We have determined two separate scenarios that are related to this event and how our solutions averted and can help customers prevent the said threat.
Two of our threat discovery solutions – Deep Discovery Inspector and Deep Discovery Advisor – heuristically detected and reported malicious traffic and messages sent to two Trend Micro customers, which we later determined to be related to this attack. Because our solutions were able to detect this attack, this gave customers actionable intelligence (information such as malware’s dropped files, malicious URL, to name a few) that enabled them to take appropriate actions and mitigate the risk of the attack. Our threat discovery solutions detected this threat as HEUR_NAMETRICK.B in ATSE 9.740.1012.
In a different scenario, we have acquired several samples (detected as TROJ_KILLMBR.SM), which we believe were responsible for the reported blank computer screens that occured in certain South Korean entities. This malware overwrites the Master Boot Record (MBR), with a series of the words HASTATI. and PRINCPES. In normal usage, the MBR contains information necessary for any operating system to boot correctly. It then automatically restarts the system. When the system restarts, due to the damaged MBR, the system is unable to boot.