A new version of the KillDisk disk-wiping malware has hit companies in the financial sector in Latin America, Trend Micro reported yesterday.
Just like previous versions, KillDisk purposely deleted files but included a ransom note in an attempt to fool victims that they've been infected with ransomware and not a malicious disk wiper known to be used in many past cyber-espionage operations.
On the infosec scene, KillDisk is one of the most infamous malware families around. The malware was developed and used primarily by a Russian cyber-espionage group known as Telebots.
This is the same group that created the Sandworm malware that attacked industrial equipment in the US, the BlackEnergy malware that was used in attacks against Ukraine's power grid, and the NotPetya ransomware that hit many companies in June 2017.
KillDisk was initially developed as a disk-wiping malware that was deployed in the later stages of an infection so attackers could use it to hide their tracks by wiping disks and destroying forensic evidence.
By the end of 2016, KillDisk received a facelift and started posing as ransomware in attacks against Ukrainian banks. A Linux variant was also discovered soon after, also used against the same targets.
Now, Trend Micro is reporting of new KillDisk attacks. The company says it detected a new version, but the changes are minimal from past attacks.
The ransom note is still there, as well as the disk-wiping functions. The only thing that's changed are the targets, with KillDisk being deployed on the networks of Latin American financial firms, far away from the previous Ukrainian targets where the malware was spotted for the past three years.
For the time being, Trend Micro did not say if these newer attacks were carried out by the TeleBots crew, or by some copycats trying to fool forensics investigators and throw investigators off their trail.
But just like in previous attacks, researchers also noted that KillDisk was not the primary malware deployed by intruders.
"This KillDisk variant looks like it is intentionally dropped by another process/attacker," researchers said. "Its file path is hardcoded in the malware (c:\windows\dimens.exe), which means that it is tightly coupled with its installer or is a part of a bigger package."
Researchers did not say what was the primary payload just yet. Nonetheless, they went into more details regarding the mode of operation of this particular KillDisk variant.
According to researchers, KillDisk —once dropped on a computer— will load itself into memory, delete its files from disk, and rename itself.
It will then overwrite the first 20 sectors of each storage device's Master Boot Record (MBR) with 0x00 bytes.
After that it will rewrite the first 2800 bytes of each file with the same 0x00 bytes on each fixed and removable storage drive. The only files left intact are files and folders found in the following directories, all curcial to OS operations.
KillDisk then starts a 15 minutes timer and then kills the following process. Because these are crucial OS processes, the user's machine will either enter a BSOD or will forcibly reboot without the user's option.
Once the system restarts, the user won't be able to use his computer unless he repairs the damaged MBR records. When a system administrator investigates, the most common scenarios are that he'll find the ransom note and think the system was hit by ransomware, or he'll install from previous backups, destroying even the last clues of a KillDisk infection.
It's because of this haste to have computers back and running in enterprise networks that disk-wiping malware strains like KillDisk and Shamoo have added ransomware components.
New KillDisk SHA256 hash: