FacebookTwitterLinkedIn

Cyber Criminals Targeting Latin American Banks

The film industry loves to portray bank robbers as street smart criminals who plan audacious schemes to physically break into bank vaults. The reality as always it not so glamorous with more and more bank robberies been confined to the digital realm. News broke towards the end of May of an attempt to steal money during a hack of a Chilean bank. It was initially reported on May 24, by Banco De Chile that the bank had suffered an all-around systems failures that affected the computers at several of its branches. Various local news sources began reporting that the bank while maintaining online banking channels could not carry out in banking operations. Initially, the bank in question refused to call it a security incident, but in a subsequent announcement on May 28, Banco de Chile admitted to having been hit by "a virus."

The Virus Used

In the bank's statement to customers and the press at large, they referred to be affected by a virus. Simply calling it a virus may be an understatement. According to images posted online by bank employees, the malware crashed infected PCs, leaving them in a non-bootable state, suggesting it was affecting hard drives' Master Boot Records (MBRs) similar to how NotPetya operated. NotPetya masqueraded as a piece of ransomware but was in fact what is termed a wiper. A wiper’s sole intention is to wipe the hard drive of the computer it infects. The wiper used to target the Chilean bank crashed over 9,000 computers and over 500 servers.

According to a security alert sent out by another IT company in the aftermath of the Banco de Chile hack, the malware was identified under various names. These names included KillMBR, a term previously used by Trend Micro researchers for the KillDisk disk wiper and fake ransomware.  The KillDisk malware is a well-known threat which has been used in the past in hacks targeting banks and other financial institutions. Killdisk’s main function in these instances is to wipe the disk and then pose as a ransomware infection by showing a ransom note on the user's screen. The wiping of the disk is a preferred tactic by cybercriminals is because it destroys much of the forensic data used in attributing the attack.

killmbr virus banco de chile

Attributing KillDisk to the Chilean bank hack is difficult as the details about the hack have not been forthcoming. However, it can likely be assumed that it was KillDisk or a variant of it. If the images posted online by employees is taken at face value KillDisk is very likely to be the culprit. This is due to researchers at Trend Micro discovering a new variant of KillDisk, this information was published in a report dated June 7. This latest variant of KillDisk does not even bother to show a fake ransom note anymore. Rather, it proceeds to just wipe the data from the hard drive. The report does not detail the hack affecting the Chilean bank, rather researchers mention a hack which occurred in May which is the same month of the incident covered above.

KillDisk appears to be trending in 2018

Combined with the Trend Micro report published in June, the security firm also published a report in January of this year detailing a variant of KillDisk which was seen targeting Latin American banks and other financial institutions. Both reports contain interesting information on the infection chain and how exactly the malware goes about wiping the hard drive for those wishing to know more. What is important for the purposes of this article is that researchers at Trend Micro have been detecting the malware especially targeting Latin American banks. This would further prove that it is, in fact, KillDisk that caused the major system's failure of Banco De Chile.

What will be of particular interest to investigators, authorities, and researchers are that the Chilean hack seems to form part of a string of attacks targeting South American institutions. This means that a single group of hackers could be behind the attacks. On May 29, Bloomberg reported that in January hackers tried to steal 110 million USD from a Mexican Bank using the SWIFT system. In the Trend Micro report from January, the security firm stated that it believes the same group now tried its hand at another heist with another bank in Latin America. Researchers further said that “Our analysis indicates that the attack was used only as a distraction…The end goal was to access the systems connected to the bank’s local SWIFT network.” This would have been in line with how the group targeted the Mexican bank as well as others throughout the region.

Was any Money stolen?

Often seen as the fabled million dollar question when it comes to bank heists: How much was taken? Initially, it seemed as if no money was successfully stolen. Both the bank and Chilean authorities giving out no information to the public it was essentially anyone’s guess as to what really happened. It was reported by Chilean journalist that someone tried to make off with $11 million during the May 24 incident. However, the journalist, who cited an inside source, claimed the hack was an inside job in retaliation to recent layoffs, rather than an external threat. The bank also insisted that customer’s funds were safe. Till this point, the world had to take the journalist and bank at their words. Trend Micro does put forward a convincing case that it was not an inside job like the journalist believes.

Then on June 9, Banco de Chile admitted that 10 million USD was indeed stolen during the May 24 incident. Thus making the million dollar question a 10 million dollar one rather. Time and time again we see corporations failing to handle the PR side of been hacked with any kind of grace. The Equifax and Uber data breaches instantly come to mind.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal