The KillDisk wiper attack against Banco de Chile last month appears to be a larger ploy to compromise endpoint servers processing transactions on the SWIFT bank network (a vast messaging network used by financial institutions to send and receive money). Investigators surmise ten million dollars were stolen and funneled off to accounts in Hong Kong. The initial attack was carried out using a rogue version of the Buhtrap wiper malware also known as kill_os and was used to erase the operating system and Master Boot Record (MBR) rendering them unreadable. Could this be similar to the rather familiar MBR Killer previously used by a Russian hacker group responsible for multiple attacks against banks in Russian and Ukraine? Fingers are also pointed to the North Korea-linked Lazarus Group thought to have carried out similar attacks in Bangladesh.
It’s evident from the error message displayed by the affected systems below the malicious code was a strain of the dreaded Killdisk.
It appears the MBR Killer was also packed with VMProtect, designed to thwart forensic analysis and reverse engineering.