MBR-wiping malware targets German victims

Status
Not open for further replies.

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Info Security said:
Master boot record wipers have been cropping up lately, most notably in a widespread attack on South Korea media properties. A new MBR-based hack is now targeting German users, who are at risk of having their systems rendered unusable by malware being sent via spam messages.

Trend Micro recently uncovered what it terms a “noteworthy backdoor” as an attached file in certain spam variants sent to German recipients. The spam sample the security firm found tells recipients they have to pay a certain debt, the details of which are contained in the attachment. The attachment, of course, executes that malware.

Like any backdoor, it (BKDR_MATSNU.MCB) performs certain malicious commands, which include gathering machine-related information sent to its command-and-control (C&C) server. But it also has a secret sauce. “This particular malware, on top of its ability to remotely control an affected system, is able to wipe out the Master Boot Record – a routine that had previously caused a great crisis in South Korea,” noted Lenart Bermejo, threat response tech lead at Trend Micro.

The remote malicious server only needs to communicate a wipe command to the backdoor and it can execute the MBR routine immediately. Once compromised, infected systems won’t reboot normally and will leave users with unusable machines.

The MBR was recently used in the high-profile (but different) attack against South Korean institutions, including three broadcasters – KBS, MBC and YTN – and two banks, Shinhan and Nonghyup. Security firm AlientVault found one of the offending pieces of code to attack by way of overwriting a system’s MBR, making it a rootkit bug.

McAfee’s latest Quarterly Threats Report noted a surge in MBR attacks, where the goal is to infect a machine’s storage system, and from there take control of the entire device. The appearance of MBR samples increased more than 30% in Q1 2013, noted the report. MBR corruption was popular in the '80s and '90s, but there has been a gap in MBR infections until now, McAfee said.

The German-targeted malware doesn’t stop at wreaking of MBR havoc though: another feature is the backdoor’s capability to lock and unlock a screen. “This locking of screen is definitely a direct copy from ransomware’s playbook, in which the system remains completely or partially inaccessible unless the victim pays for the ransom,” Bermejo said.

Read more: http://www.infosecurity-magazine.com/view/32866/mbrwiping-malware-targets-german-victims/
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top