Trend Micro spotted a new variant of KillDisk wiper in Latin America

Pierluigi Paganini June 09, 2018

In May, experts at Trend Micro observed a new sample of KillDisk in Latin America, the malware infected the systems of a bank.

A new piece of the KillDisk wiper was observed spotted earlier this year targeting financial organizations in Latin America, Trend Micro reports.

The destructive malware was involved in the attacks against Ukraine’s grid in December 2015, the attack was attributed to a Russia-linked APT group tracked as BlackEnergy.

In December 2016, researchers at security firm CyberX discovered a variant of the KillDisk malware that implemented ransomware features.

In May, experts at Trend Micro observed a master boot record (MBR)-wiping malware in Latin America, the malicious code infected the systems of a bank with a severe impact on their operations.

According to the experts, the hacker failed the attack because the real goal was obtaining the access to SWIFT network.

“Last May, we uncovered a master boot record (MBR)-wiping malware in the same region. One of the affected organizations was a bank whose systems were rendered inoperable for several days, thereby disrupting operations for almost a week and limiting services to customers.” reads the analysis published by Trend Micro.

“Our analysis indicates that the attack was used only as a distraction — the end goal was to access the systems connected to the bank’s local SWIFT network.”

The malware researchers determined that the malicious code was a strain of the dreaded Killdisk due to on the error message displayed by the affected systems.


The analysis of the payload makes it difficult to determine the motivation behind the attack.

The experts analyzed a sample of that variant and discovered it was created with Nullsoft Scriptable Install System (NSIS), which is an open-source application used to create setup programs.

The sample was named by the author as “MBR Killer,” the sample included a routine to wipe the first sector of the machine’s physical disk.

The sample was protected by VMProtect, a tool used to prevent reverse engineering of the code in a virtualized environment.

The analysis of the sample did not reveal any connection to a command-and-control (C&C) infrastructure neither the presence of ransomware-like routines.

“We haven’t found any other new or notable routines in the sample we have. There is no evident command-and-control (C&C) infrastructure or communication, or ransomware-like routines coded into the sample. There are no indications of network-related behavior in this malware.” continues the analysis.

The malware wipes all physical hard disks on the infected system, it retrieves the handle of the hard disk and overwrites the first sector of the disk (512 bytes) with “0x00”, then forces the machine to shut down.

“The destructive capabilities of this malware, which can render the affected machine inoperable, underscore the significance of defense in depth: arraying security to cover each layer of the organization’s IT infrastructure, from gateways and endpoints to networks and servers,” concludes Trend Micro.

The report also included Indicators of Compromises (IoCs)

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Killdisk, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment