Different Wipers Identified in South Korean Cyber Attack

Our analysis of Trojan.Jokra, the threat which recently caused major outages within the Korean Broadcasting and Banking sectors, has produced another wiper.

Security researchers the past few days have been discussing the wiper component found in this Trojan, specifically different wiper versions and the timings involved. We have seen the following strings used in four different variants:

  • HASTATI and PR!NCPES in combination

Three wipers are packaged as a position-independent executable (PIE) and a fourth as a dynamic-link library (DLL) injection. There are also some differences in regard to the timing.


Table. Trojan.Jokra wipers

Two of the wipers were instructed to immediately wipe upon execution. Another was instructed to wipe specifically at 2 PM on March 20, 2013. We have recently come across another sample (530c95eccdbd1416bf2655412e3dddb) that wipes at 3 PM on March 20, independent of year.


Figure. Trojan.Jokra wiper countdown

To ensure that your machine is protected from Trojan.Jokra and other threats, please ensure that your computer has the latest patches installed and that you have the most up-to-date antivirus definitions installed.