Delaware, USA – June 11, 2018 – Adversaries attacked the Chilean bank with a modified version of KillDisk to cover up the traces of their criminal activity. The financial organizations in Latin America became targets of such attacks at the beginning of this year. In May we wrote about the banking trojan N40 targeted banks in Chile, and in late May it became known about the attack on the largest Chilean bank. Researchers from TrendMicro analyzed the malware used in the attack and linked the operation to the attempt to steal $110 million from the Mexican bank via SWIFT payment system. The attackers used modified KillDisk to crash approximately 9,000 computers and 500 servers. The attackers took $10 million, and Researchers are sure that destructive cyber attack just distracted attention from SWIFT network.
The new version of KillDisk wiper is created with Nullsoft Scriptable Install System and is protected by VMProtect. The malware, when activated, wipes the first sector on all detected physical disks. It is still unknown how this malware infected so many systems since it does not have worm-like capabilities to spread over the network. Presumably, attacks on financial institutions in the Latin America countries was conducted by one of the North Korean hacker groups. To detect the malicious activity of APT groups or financially-motivated cybercriminals, you can leverage Threat Detection Marketplace content. APT Framework SIEM use case can help to detect signs of the attack in the early stages of the Cyber Kill Chain.