In this post I share a technical analysis of the malware and attack vectors used in the March 20 attack, based on information obtained from the media, and technical reports of various malware research labs such as AhnLab, Imperva, Symantec, Avast, Kaspersky, Alienvault, and Sophos.

Disclaimer: I do not have access to any malware samples. The validity of the information below depends entirely on the accuracy of the technical reports of the sources mentioned above.

Anatomy of Attack

Television broadcasters YTN, MBC, and KBS, Shinhan, Nonghyup, and Jeju banks, as well as telecommunications operator LG U+ were targeted in this recent attack. The Korea Internet Security Agency (KISA) reported that about 48,000 computers were affected making services inaccessible and weeks needed to fully restore all functions [1]. In terms of impact, the attackers managed to successfully penetrate the target networks, pivot their way into critical assets, cause wipe out systems, cause denial of services, and generate enough public response to spur the media into using terminology such as cyber terror and advanced persistent threats. We take an in-depth look of the malware, attack vectors used, and later discuss whether the claims in the media are warranted. According to the investigating team consisting of government, military, and civilian elements, as many as 76 samples of malware were collected  from infected machines [2]. We present the most likely primary attack vector used by the attackers by discussing information summarized from reports by Avast [3], Trend Micro [4], and Symantec [5][6] issued in the first few days following the attack.

Fig. 1. Dark Seoul Attack Vector

1. Spearphishing

Trend Micro researchers discovered a phishing email sent to South Korean organizations on March 19. The email contained a malicious trojan downloader which they report was detected by Deep Discovery and other software. This is likely to be the initial attack point.

2. Launch Platform – cross-site scripting

Avast detected the attacks originating from the Korea Software Property Right-Council (SPC) website (http://www.spc.or.kr), possibly  infected via the phishing email sent on the 19th.  Usage of a legitimate website/server in the target nation/region for launching attacks is a common tactic used to minimize detection. The SPC website contained javascripts causing the client browser to load an iframe loading the contents of http://rootadmin2012.com, the main attack site hosting the malicious payloads.

3. Exploitation

Examination of rootadmin2012.com revealed heapspray and shellcodes with references to Internet Explorer (IE). Avast managed to identify the vulnerability exploited as CVE-2012-1889 [7] which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted website. The vulnerability targets Microsoft XML Core Services 3.0 – 6.0 with a published metasploit exploit targeting MS XML Core Services 3.0 via IE6 and IE7 over Windows XP [8]. After gaining access the second stage downloader file (sun.exe) performs the follwing actions:

  1. Check for internet connection: Downloads an image from naver.com.
  2. Local DNS cache poisoning: Appends new entries to the hosts file (Fig. 2) on Windows redirecting requests to certain banking websites to 126.114.224.53, a server located in Japan with URL Softbank126114224053.bbtec.net.

    New entries appended to Windows hosts file

    Fig. 2. New entries appended to Windows hosts file

  3. Update download counter: Runs a counter script by opening http://myadmin2012.com/tong.htm.
  4. Makes itself persistant: Modifies the Windows registry by adding value with name “skunser” and data “C:\ntldrs\svchest.exe”, where it was previously copied to.
  5. Download backdoor: Downloads dropper file pao.exe from http://www.hisunpharm.com/files/File/product/ and stores it to C:\Program Files\tongji2.exe
  6. Drop and execute batch file: schedules downloader every 30 minutes and ensures svchest.exe is started with Local System privileges.
4. Post-exploitation

The tongji2.exe module injects itself into iexplore.exe in an attempt to mask itself. Avast classified this as a backdoor trojan and infostealer. This malware allowed attackers to control the computer as a compromized zombie part of wider botnet network – a theory suggested by Alienvault [9] – wipe hard disks, and harvest personal information. Examination of the file names and the Safeengine executable protector suggest that the malware was made in China. Although capable of executing many functions, only several were widely used in the attack:

  1. Antivirus disablement: Malware attempts to disable Ahnlab and Hauri antivirus.
  2. Command & control (C&C): Using a simple XOR loop for encryption, the malware attempts to connect to laoding521.eicp.net over port 889 to communicate with the attackers.
  3. Harddisk wiper: Symantec identified Trojan.Jokra as the malware component wiping harddisks in this attack. It is likely that it was downloaded onto the victim’s computer after receiving an instruction by the C&C servers. The malware overwrites the master boot record (MBR) and the rest of the harddisk with the strings “PRINCIPES” or “HASTATI.”. Other attached drives or removable devices may also be targeted. The malware then forces the computer to restart thus making it unusable. An interesting feature of this malware is that it has components to wipe out harddisks on both Windows and Linux platforms. Detailed analysis of Jokra can be found here [10].
  4. Information harvesting: After gaining root privileges the attackers can intercept any information that goes in our out of the infected computer. However one of the most apparent was user credentials theft. As a result of DNS poisoning, users believe they are accessing the authentic internet banking website, but are decepted into interacting with  a fake website. An error message pops up stating that the user’s computer was infected by a virus and that for security reasons they need to apply for a fraud prevention service. If the user clicks the OK button, the user is directed to a page requesting their name and national identification number. If the format entered is correct, the user is then asked to fill in more details including address, phone number, etc..

References:
[1] “South Korea blames North for bank and TV cyber-attacks,” BBC News, [online] 10 April 2013, Available: http://www.bbc.co.uk/news/technology-22092051 (Accessed: 18 April 2013)
[2] He-suk Choi. “Seoul blames Pyongyang for cyber attacks,” The Korea Herald, [online] 10 April 2013,  Available: http://www.koreaherald.com/view.php?ud=20130410000766 (Accessed: 18 April 2013)
[3] J. Horejsi. “Analysis of Chinese attack against Korean banks,” Avast! Blog, [online] 19 March 2013, Available: https://blog.avast.com/2013/03/19/analysis-of-chinese-attack-against-korean-banks/ (Accessed: 18 April 2013)
[4] J. Schwartz, “South Korea Changes Story On Bank Hacks,” Information Week [online] 22 March 2013, Available:  http://www.informationweek.com/security/attacks/south-korea-changes-story-on-bank-hacks/240151542 (Accessed: 18 April 2013)
[5] “Remote Linux Wiper Found in South Korean Cyber Attack,” Symantec Connect [online] 20 March 2013, Available: http://www.symantec.com/connect/blogs/remote-linux-wiper-found-south-korean-cyber-attack (Accessed: 18 April 2013)
[6] “Trojan.Jokra,” Symantec Security Response, [online] 27 March 2013, Available: http://www.symantec.com/security_response/writeup.jsp?docid=2013-032014-2531-99 (Accessed: 18 April 2013)
[7] “CVE-2012-1889,” Common Vulnerabilities and Exposures, [online] 22 March 2012, Available: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1889 (Accessed: 18 April 2013)
[8] Metasploit, “Microsoft XML Core Services MSXML Uninitialized Memory Corruption,” The Exploit Database, [online] http://www.exploit-db.com/exploits/19186/ (Accessed: 18 April 2013)
[9] J. Blasco, “A theory on the South Korean attacks,” Alien Vault Labs [online] 20 March 2013, Available:  http://labs.alienvault.com/labs/index.php/2013/a-theory-on-the-south-korean-attacks/ (Accessed: 18 April 2013)

Comments
  1. […] recently released a detailed analysis on the Operation Troy attack previously known as Dark Seoul. They found that the attacks were actually a conclusion of a covert espionage […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s