A theory on the South Korean attacksMarch 20th, 2013 | Posted by in News
During the day I’ve been thinking about what have just happened in South Korea.
We have published earlier today a quick blog post about how the wiper payload works. It is a very simple piece of code that overwrites the MBR (Master Boot Record) making the affected system unable to start after reboot.
Other companies have published information about the wiper payloads but anyone is giving information about how the attackers gained access to the affected networks. To execute that payload they had to gain access to the companies somehow and execute the wiping routine at the same time in the affected computers.
If the goal of the attackers was to create panic it means they hadn’t to have a specific list of victims, had they?. From my point of view one of the easiest ways to gain access to several targets without having too much resources/skills would be:
- Buy an exploit kit and a malware kit, hack into websites and redirect victims to your malicious infrastructure.
or even better:
- Rent a botnet(s) that have access to hundreds of computers and try to find victims inside interesting targets.
We have seen in the past that large botnets like Zeus or other financial driven botnets had access to systems within the networks of large organizations such as Bank of America, Amazon and NASA.
Therefore, finding infected systems in Broadcasting & Cable companies in South Korea like KBS, MBC and YTN (victims of the attacks) inside fraud botnets wouldn’t be unusual, would it be?.
The fact is that after reading some of the Korean news about the attacks:
I found they mentioned several filenames that were involved on the attacks such as apcruncmd.exe, imbc.exe, sbs.exe, kbs.exe, Bull.exe, Sun.exe, asd.exe, 38.exe, 39.exe, Sad.exe, down.exe, v3lite.exe.
We’ve only analyzed ApcRunCmd.exe that is the payload that overwrites the MBR. If the information about the filenames is accurate enough, what about the other filenames?.
Armed with patience we began the search of pieces of malware that could generate those filenames and also be related to South Korea.
The first file we found was b7c6caddb869d8c64e34478223108c605c28c7b725f4d1f79e19064cffca74fa that was submitted to VirusTotal two days ago from South Korea.
When the binary is executed, it creates the following files in the system:
- \Local Settings\Temp\1.tmp\bat.bat
The content of the bat file is:
Basically it clears the DNS cache for Internet Explorer and modifies the etc/hosts file adding new entries.When the victim resolves the South Korean bank’s domain names included in the modified “etc/hosts” file, the domains will point to 22.214.171.124.
It seems the malware is also starting the Task Scheduler service using the command “net start Task Scheduler” probably to create some tasks with malicious purposes.Finally it creates an autostart registry key to maintain persistence.
The malware connects to the host home1[.]hades08[.]com (126.96.36.199)
We have found several samples with the same behavior and using the same filename (imbc.exe) and connecting to similar C&C servers, examples:
- home2[.]hades08[.]com (188.8.131.52)
- home3[.]hades08[.]com (184.108.40.206)
Other suspicious binaries matching the patterns we were looking for and submitted from South Korean in the last few days were:
internal name…………: nhncorp
file version………….: 1,0,0,0
Connects to 220.127.116.11
All the files we mentioned are from the same malware family for sure, they have very similar behaviours with some slightly differences and their filenames match with the list we found in the South Korean news. Some vendors call this family Win32.Morix.
The domain hades08[.]com was registered by email@example.com a week ago.
We found the following subdomain:
ddd[.]hades08[.]com that seems to be serving a version of the Chinese Exploit Kit named GonDad:
We found another website, d41[.]asdasd2012[.]com serving the GonDad exploit kit.
The domain registrant for asdasd2012[.]com is also firstname.lastname@example.org and it was registered a day after hades08[.].com
The relationship is obvious because dl[.]hades08[.]com is know pointing to the same IP address as mb[.]asdasd2012[.]com (18.104.22.168)
According to Google, the domain asdasd2012[.]com has infected 4 domains in the past 90 days including a South Korean website, appstory.co.kr.
On the other hand if we get the IP address of the C&C server for the sample with filename v3lite.exe we previously mentioned, 22.214.171.124.
Using passive DNS we can found the following subdomains of frcvb[.]com pointed to that IP in the last few days:
tt[.]frcvb[.]com A 121[.]156[.]58[.]135
aaa[.]frcvb[.]com A 121[.]156[.]58[.]135
qqq[.]frcvb[.]com A 121[.]156[.]58[.]135
ttt[.]frcvb[.]com A 121[.]156[.]58[.]135
zzz[.]frcvb[.]com A 121[.]156[.]58[.]135
The domain frcvb[.]com was registered less that a month ago.
According to Google, the domain frcvb[.]com has infected 18 domains in the past 90 days including several South Korean websites:
Other domain that we have detected in the same infrastructure is frcob[.]com and it is being used as C&C server for the same malware we previously mentioned
As another example the following SK websites were also affected by the GonDad exploit kit hosted on frcob[.]com and frcvb[.]com:
The fact is we could probably show you dozens of domains hosting versions of the GonDad exploit kit, affecting South Korean websites and related with the malware family we have been talking about.
You can follow any responses to this entry through the RSS 2.0 Both comments and pings are currently closed.