0320_cyberterror_stolenbyte.pdf (322 KB)

WOWHACKER Group analyzed malware used in the March 20, 2013 South Korea cyberattack. The binary dynamically loads Windows libraries and APIs, checks for a file mapping marker to avoid repeat execution, kills security related processes such as pasvc.exe and clisvc.exe, and creates worker threads for destructive behavior. The analysis shows direct access to PhysicalDrive0, MBR level operations, file checks under the Windows Temp path, and anti-detection techniques likely intended to support large scale disruption.