Banco de Chile victim of a devastating wiper attack, money allegedly stolen

On May 24 computers in Banco de Chile offices and branches suddenly rebooted and changed screen colour to black. Local media outlets reported  that bank branches cannot operate due to broken workstations. Banco de Chile was quick to acknowledge issues and recommended using online and mobile banking, which operated without interruption.

The bank did also issue a formal statement to inform its customers that their fund were safe.

Incident analysis

We decided to look deeper into this incident and quickly identified a blog post on www.seguridadyfirewall.cl which did include a picture of a computer screen in bank’s offices.

Looks like something destroyed the MBR and computers cannot boot. After a few days of research we were able to confirm that around 10,000 Windows computers and servers were destroyed by a very simple piece of malware. We were able to identify a post on a Chilean forum, where one of the users published a chatlog with someone claiming insider knowledge, mentioning 9000 PCs and 500 servers destroyed by the attack throughout Chile.

Banco de Chile did confirm it was a virus attack, but did not provide any further explanation of the circumstances of the incident.

Trend Micro did publish a nice analysis of the file responsible for the data destruction. Based on the information we were able to gather so far, the malicious file is a really simple tool – it just damages the MBR and reboots the computer. It was allegedly deployed via an antivirus update mechanism.

Money stolen?

Why would anyone just destroy thousands of bank’s workstations? While we kept looking for further clues we did find an interesting tweet by a local journalist claiming USD 11 million was stolen from the bank at the same time the wiper destroyed the workstations.

While the journalist claims it could have been an inside job, we also found out that allegedly some artefacts of a well know Lazarus toolset were identified in bank systems. Trend Micro believes that a wiper variant was connected to the foiled heist in Mexico in January. We have no knowledge about the connection between the alleged unauthorised transfers and wiped workstations, but those two incidents could have something in common. The investigation continues and we hope to learn more in the future.

Alleged wiper file analysis on VT