{
	"id": "d05cff52-4c95-4431-bc4c-f85787fa85c2",
	"created_at": "2026-04-06T00:13:16.657477Z",
	"updated_at": "2026-04-10T03:20:29.837985Z",
	"deleted_at": null,
	"sha1_hash": "b6457c0b9f5946979f0d693ff083764f53a136ba",
	"title": "KillDisk Variant Hits Latin American Finance Industry",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 263134,
	"plain_text": "KillDisk Variant Hits Latin American Finance Industry\r\nBy Fernando Merces, Byron Gelera, Martin Co ( words)\r\nPublished: 2018-06-07 · Archived: 2026-04-05 22:07:28 UTC\r\nIn January, we saw a variant of the disk-wiping KillDisk malware hitting several financial institutions in Latin\r\nAmerica. One of these attacks was related to a foiled heistopen on a new tab on the organization’s system\r\nconnected to the Society for Worldwide Interbank Financial Telecommunication’s (SWIFT) network.\r\nLast May, we uncovered a master boot record (MBR)-wiping malware in the same region. One of the affected\r\norganizations was a bank whose systems were rendered inoperable for several days, thereby disrupting operations\r\nfor almost a week and limiting services to customers. Our analysis indicates that the attack was used only as a\r\ndistraction — the end goal was to access the systems connected to the bank’s local SWIFT network.\r\nThe telltale sign was a problem related to the affected machine’s boot sector. Based on the error message it\r\ndisplayed after our tests, we were able to ascertain that this was another — possibly new — variant of KillDisk.\r\nThis kind of notification is common in systems affected by MBR-wiping threats and not in other malware types\r\nsuch as ransomware, which some people initially believed to be the culprit. Trend Micro products detect this threat\r\nas TROJ_KILLMBR.EE and TROJ_KILLDISK.IUE.\r\nThe nature of this payload alone makes it difficult to determine if the attack was motivated by an opportunistic\r\ncybercriminal campaign or part of a coordinated attack like the previous attacks we observed last January.\r\nFigure 1. Error screen after the boot sector is overwritten\r\nInitial analysis\r\nhttps://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html\r\nPage 1 of 4\n\nWe were able to source a sample that may be the malware involved in the May 2018 attacks. We ran it, and it\r\nbroke the boot sector as expected (see Figure 1). An initial analysis of the file revealed it was created using\r\nNullsoft Scriptable Install System (NSIS), an open-source application used to create setup programs. The actor\r\nbehind this threat used the application and purposely named it “MBR Killer.” Although the sample was protected\r\nby VMProtect (a virtualization protector used to defend against reverse engineering), we were still able to verify\r\nthat it has a routine that wipes the first sector of the machine’s physical disk, as shown in Figure 2. We haven’t\r\nfound any other new or notable routines in the sample we have. There is no evident command-and-control (C\u0026C)\r\ninfrastructure or communication, or ransomware-like routines coded into the sample. There are no indications of\r\nnetwork-related behavior in this malware.\r\nFigure 2. The malware named “MBR Killer” (highlighted, top) and a code snippet showing its routine of wiping\r\nthe disk’s first sector (bottom)\r\nFigure 3. How the malware carries out its MBR-wiping routine\r\nHow the malware wipes the affected machine’s disk\r\nThe malware was designed to wipe all the physical hard disks it can find in the infected system. Here’s a summary\r\nof how it performs its MBR-wiping routine:\r\n1. It uses the application programming interface (API) CreateFileA to \\\\.\\PHYSICALDRIVE0 to retrieve the\r\nhandle of the hard disk.\r\n2. It overwrites the first sector of the disk (512 bytes) with \"0x00\". The first sector is the disk’s MBR.\r\n3. It will try to perform the routines above (steps 1-2) on \\\\.\\PHYSICALDRIVE1, \\\\.\\PHYSICALDRIVE2,\r\n\\\\.\\PHYSICALDRIVE3, and so on, as long as a hard disk is available.\r\n4. It will then force the machine to shut down via the API ExitWindows.\r\nWhen calling the APIs, the main executable will drop the component file %User Temp%/ns{5 random\r\ncharacters}.tmp/System.dll. The main executable will then load the dynamic-link library (DLL) file, which has the\r\nhttps://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html\r\nPage 2 of 4\n\nexport function “Call” used to call for the APIs.\r\nMitigation and best practices\r\nThe destructive capabilities of this malware, which can render the affected machine inoperable, underscore the\r\nsignificance of defense in depth: arraying security to cover each layer of the organization’s IT infrastructure, from\r\ngatewaysproducts and endpointsproducts to networksproducts and serversproducts. Here are some best practices\r\nthat organizations can adopt to defend against this kind of threat:\r\nIdentify and address security gaps. Regularly patch and update networks, systems, and\r\nprograms/applications to remove exploitable vulnerabilities. Create strict patch management policiesnews\r\narticle and consider virtual patching, especially for legacy systems. Regularly back up datanews article and\r\nsafeguard its integrity.\r\nSecure mission-critical infrastructure. Secure the infrastructure used to store and manage personal and\r\ncorporate data. For financial institutions, SWIFT has a Customer Security Programmeopen on a new tab\r\nthat provides mandatory and advisory controlsopen on a new tab for their local SWIFT infrastructure.\r\nSome of these include virtual patching, vulnerability scanning, application control, and integrity\r\nmonitoring of SWIFT-related applications.\r\nEnforce the principle of least privilege. Restrict access to mission-critical data. Network\r\nsegmentationnews article limits user or program access to the network; data categorizationnews article\r\norganizes data by importance to minimize further exposure to threats or breaches. Restrict accessnews-cybercrime-and-digital-threats to and use of tools reserved for system administrators (for example,\r\nPowerShellnews article, command-line toolsnews article) to prevent them from being abused. Disable\r\noutdated and unneeded system or application components.\r\nProactively monitor online premises. Deploy additional security mechanisms to further hinder attackers.\r\nFirewallsnews article and intrusion detection and prevention systemsproducts help against network-based\r\nattacks, while application control and behavior monitoring prevent the execution of suspicious and\r\nunwanted files or malicious routines. URL categorization also helps prevent access to malware-hosting\r\nsites.\r\nFoster a culture of cybersecurity. Many threats rely on social engineering to succeed. Awareness of the\r\ntelltale signs of spam and phishing emails, for instance, significantly helps thwart email-based threatsnews-cybercrime-and-digital-threats.\r\nCreate a proactive incident response strategy. Complement defensive measures with incident response\r\nstrategies that provide actionable threat intelligence and insights to help IT and information security teams\r\nactively hunt for, detect, analyze, correlate, and respond to threats.\r\nTrend Micro Solutions\r\nTrend Micro™ XGen™ securityproducts provides a cross-generational blend of threat defense techniques against\r\na full range of threats for data centersproducts, cloud environmentsproducts, networksproducts,\r\nand endpointsproducts. It features high-fidelity machine learning to secure\r\nthe gatewayproducts and endpointproducts data and applications and protects physical, virtual, and cloud\r\nworkloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen protects\r\nhttps://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html\r\nPage 3 of 4\n\nagainst today’s purpose-built threats that bypass traditional controls and exploit known, unknown, or\r\nundisclosed vulnerabilitiesproducts. Smart, optimized, and connected, XGen powers Trend Micro’s suite of\r\nsecurity solutions: Hybrid Cloud Security, User Protection, and Network Defense.\r\nIndicators of Compromise (IOCs)\r\nRelated Hashes (SHA-256):\r\na3f2c60aa5af9d903a31ec3c1d02eeeb895c02fcf3094a049a3bdf3aa3d714c8 — TROJ_KILLMBR.EE\r\n1a09b182c63207aa6988b064ec0ee811c173724c33cf6dfe36437427a5c23446 — TROJ_KILLDISK.IUE\r\nSource: https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html\r\nhttps://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html"
	],
	"report_names": [
		"new-killdisk-variant-hits-latin-american-financial-organizations-again.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434396,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6457c0b9f5946979f0d693ff083764f53a136ba.pdf",
		"text": "https://archive.orkl.eu/b6457c0b9f5946979f0d693ff083764f53a136ba.txt",
		"img": "https://archive.orkl.eu/b6457c0b9f5946979f0d693ff083764f53a136ba.jpg"
	}
}