Different Wipers Identified in South Korean Cyber Attack

Our analysis of Trojan.Jokra, the threat which recently caused major outages within the Korean Broadcasting and Banking sectors, has produced another wiper.

Security researchers the past few days have been discussing the wiper component found in this Trojan, specifically different wiper versions and the timings involved. We have seen the following strings used in four different variants:

  • PRINCIPES
  • HASTATI
  • PR!NCPES
  • HASTATI and PR!NCPES in combination
  • PRINCPES

Three wipers are packaged as a position-independent executable (PIE) and a fourth as a dynamic-link library (DLL) injection. There are also some differences in regard to the timing.
 

table1.jpg

Table. Trojan.Jokra wipers
 

Two of the wipers were instructed to immediately wipe upon execution. Another was instructed to wipe specifically at 2 PM on March 20, 2013. We have recently come across another sample (530c95eccdbd1416bf2655412e3dddb) that wipes at 3 PM on March 20, independent of year.
 

image1.jpg

Figure. Trojan.Jokra wiper countdown
 

To ensure that your machine is protected from Trojan.Jokra and other threats, please ensure that your computer has the latest patches installed and that you have the most up-to-date antivirus definitions installed.