More details of the cyberattack on multiple banks and media companies in South Korea on Wednesday have emerged, suggesting that at least part of the attack was launched through a phishing campaign against employees of the companies. According to a report from Trend Micro's security lab, the "wiper" malware that struck at least six different companies was delivered disguised as a document in an e-mail.
The attachment was first noticed by e-mail scanners on March 18, the day before the attack was triggered. The e-mail was purportedly from a bank; Trend Micro's Deep Discovery threat scanning software recognized the message as coming from a host that had been used to distribute malware in the past.
The attachment, disguised as a document, was actually the installer for the "wiper" malware. It also carried PuTTY SSH and SCP clients, and a bash script designed to be used in an attack against Unix servers that the target machines had connection profiles for. When activated, the dropper attempted to create SSH sessions to Unix hosts with root privileges and erase key directories, as Ars reported yesterday.