The country’s NSHC Red Alert Team found that data-deleting malware was to blame for the online attacks, which knocked targeted networks offline. But according to the Red Alert Team, the attacks were relatively unsophisticated and would have required little infrastructure or expertise to launch.
The malware wiped Windows computers by overwriting their master boot record (MBR) and any data stored on the PC, then instructed the PC to shut down. That renders the infected computer unusable as the MBR and the content of the drive are now missing.
An analysis of the now-archived malware by F-Secure uncovered some clues as to how the bug found its way onto the system to begin with. “Those with keen eye would notice that the malware inside the archive is using double extensions combined with a very long filename to hide the real extension,” researchers at F-Secure said. “This is a common social engineering tactic that started during the era of mass mailing worms almost a decade ago. Therefore we believe the archive is most likely sent as attachment in spear phishing emails.”
F-Secure also looked for possible links to the wiper payloads to find more clues. Examining existing samples, an exact match was not found, but there were two variants of the wiper component that matches the style.
“The first uses a similarly themed filename called mb_join.gif, which may be trying to disguise [itself] as an image of a ‘join’ button on some mobile banking website. The other is a time-triggered DLL sample,” F-Secure said. In the latter case,
It added, “It is interesting to note that Felix Deimel and VanDyke SSH clients as well as the RAR archive were used in the attacks,” F-Secure noted. “These are either third-party applications or not supported by Windows natively. Not to mention the attacks specifically wipe remote Linux and Unix based systems. All these specifics give the impression of a targeted attack.”