Cylance vs. MBRKiller Wiper Malware

“All warfare is based on deception”
-Sun Tzu


May 2018: a Latin American bank watches a nightmare unfold in real-time. Employee computer systems drop like dominoes, transitioning from productive workstations to useless black screens. First dozens, then hundreds, then thousands of PCs succumb to the virus.

The culprit, MBRKiller, spreads like wildfire through the institution’s infrastructure claiming every vulnerable system in its path.

Contrary to appearances, the goal is not to destroy the bank’s operational capability. The mayhem wrought by MBRKiller serves as a distraction to obfuscate the real intent of the attackers – stealing funds from the SWIFT money transfer system. By the time the ruse is discovered, the cybercriminals have walked away with $10 million.       

MBRKiller Analyzed

MBRKiller, as the name implies, destroys the master boot record (MBR) of a system thereby rendering it inoperable. It makes no contact with command and control (C2) servers and performs no guided networking. It simply destroys.

Cylance threat research analysts dissected MBRKiller using IDAPro and various memory analysis tools. Here is what they found.

This malware is executed by the System.dll in “%Temp%/ns{5 random characters}.tmp”
(Figure 1):

Figure 1: System.dll executes the virus

MBRKiller is packaged by VMProtect, though tools like PEID have difficulty making this determination without assistance (Figure 2). IDAPro was used to confirm the packer:

Figure 2: PEiD misidentifies the binary as a PCX file

Identifying the correct packer is vital to determining the additional capabilities of a threat. In this case, VMProtect comes loaded with an array of anti-analysis and anti-debugging operations (Figure 3):

Figure 3: VMProtect resists giving up information on the malware executable

An examination of leaked source code reveals that MBRKiller possesses considerable functionality, including:

  •  “BHO”: a module designed to intercept and replace pages in the Internet Explorer browser
  • (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by The Cylance Research Team. Read the original post at: