South Korean banks and broadcasters took phish bait in cyberattack
Spam message posing as message from bank carried malware that wiped drives.
More details of the cyberattack on multiple banks and media companies in South Korea on Wednesday have emerged, suggesting that at least part of the attack was launched through a phishing campaign against employees of the companies. According to a report from Trend Micro's security lab, the "wiper" malware that struck at least six different companies was delivered disguised as a document in an e-mail.
The attachment was first noticed by e-mail scanners on March 18, the day before the attack was triggered. The e-mail was purportedly from a bank; Trend Micro's
Deep Discovery threat scanning software recognized the message as coming from a host that had been used to distribute malware in the past.
From Trend Micro
21 Mar 2013
How Deep Discovery Protected Against The Korean MBR Wiper
We have continued to look into the MBR-wiping attacks that hit Korea earlier. We believe we now have a good picture of how the attack was conducted, why it caused so much damage, and how we were able to protect users using the threat discovery capabilities found in Trend Micro Deep Discovery.
On March 19, we saw the first indications of this attack, where South Korean organizations received a spam message that contained a malicious attachment. The message posed as coming from a bank. The attachment is actually a downloader, which downloaded 9 files from several different URLs. To hide the malicious routines, a fake website is shown.
It was at this stage that Deep Discovery was able to protect our customers by heuristically detecting the malicious attachment via ATSE (Advanced Threats Scan Engine). Deep Discovery executed the attachment in a sandbox, which was used to generate a list of URLs that was used to block these attacks right away. The URLs found at this stage were then blocked.
The combination of information provided by Deep Discovery and decisive actions by IT administrators was able to ensure our customers were protected in a timely manner. The screenshot below shows the appearance of the alerts:http://blog.trendmicro.com/trendlabs-security-intelligence/how-deep-discovery-protected-against-the-korean-mbr-wiper/