MANILA, Philippines – The recent cyber attack on a number of broadcasting stations and banks in South Korea appears  to be under control now. But the question is: How did the attack happen? Investigations by security firms are bringing new information to light.

In the recent South Korea attack, a phishing email with malware disguised as an email document reportedly caused the system crashes that hit the country.

Trend Micro noted how the phishing attempt was made to look like an email from a bank. The malware itself was designed to download 9 files from different addresses while masking the download routines on a fake webpage.

The malware’s weapon, so to speak, is known as an master boot record (MBR) wiper.

Trend Micro explains: “This MBR wiper is first dropped on Windows systems. It is set to sleep until March 20 at 2:00 PM. Upon the said date and time, the malware is activated. It terminates certain processes. It searches remote connections stored by the following applications: mRemote and SecureCRT. It uses any stored root credentials to log into remote Linux servers: for AIS, HP-UX, and Solaris servers it wipes the MBR. If it is unable to wipe the MBR, it instead deletes the folders /kernel/, /usr/, /etc/, /home/.”

After overwriting the boot record, the malware forces a restart. But because of the overwritten boot record, the restart fails.

Due to the nature and scale of the malware attack, addressing the issue became both difficult and time-consuming. Despite this, South Korean officials have a potential lead, as some of the malicious code reportedly came from a Chinese IP address. – Rappler.com