AlienVault R&D Labs Portal. Get the latest news from our research.
Header

A theory on the South Korean attacks

March 20th, 2013 | Posted by jaime.blasco in News

During the day I’ve been thinking about what have just happened in South Korea.

We have published earlier today a quick blog post about how the wiper payload works. It is a very simple piece of code that overwrites the MBR (Master Boot Record) making the affected system unable to start after reboot.

Other companies have published information about the wiper payloads but anyone is giving information about how the attackers gained access to the affected networks. To execute that payload they had to gain access to the companies somehow and execute the wiping routine at the same time in the affected computers.

If the goal of the attackers was to create panic it means they hadn’t to have a specific list of victims, had they?.  From my point of view one of the easiest ways to gain access to several targets without having too much resources/skills would be:

- Buy an exploit kit and a malware kit, hack into websites and redirect victims to your malicious infrastructure.

or even better:

- Rent a botnet(s) that have access to hundreds of computers and try to find victims inside interesting targets.

We have seen in the past that large botnets like Zeus or other financial driven botnets had access to systems within the networks of large organizations such as Bank of America, Amazon and NASA.

Therefore, finding infected systems in Broadcasting & Cable companies in South Korea like KBS, MBC and YTN (victims of the attacks) inside fraud botnets wouldn’t be unusual, would it be?.

The fact is that after reading some of the Korean news about the attacks:

- http://m.kukinews.com/view.asp?gCode=news&arcid=0007006484&code=41121111

- http://www.zdnet.co.kr/news/news_view.asp?artice_id=20130320185309

I found they mentioned several filenames that were involved on the attacks such as apcruncmd.exe, imbc.exe, sbs.exe, kbs.exe, Bull.exe, Sun.exe, asd.exe, 38.exe, 39.exe, Sad.exe, down.exe, v3lite.exe.

We’ve only analyzed ApcRunCmd.exe  that is the payload that overwrites the MBR. If the information about the filenames is accurate enough, what about the other filenames?.

Armed with patience we began the search of pieces of malware that could generate those filenames and also be related to South Korea.

The first file we found was b7c6caddb869d8c64e34478223108c605c28c7b725f4d1f79e19064cffca74fa that was submitted to VirusTotal two days ago from South Korea.

When the binary is executed, it creates the following files in the system:

- \Local Settings\Temp\1.tmp\bat.bat

- \WINDOWS\Temp\125.exe

- \Temp\imbc.exe

The content of the bat file is:

 

 

 

 

 

Basically it clears the DNS cache for Internet Explorer and modifies the etc/hosts file adding new entries.When the victim resolves the South Korean bank’s domain names included in the modified “etc/hosts” file, the domains will point to 103.14.114.156.

It seems the malware is also starting the Task Scheduler service using the command “net start Task Scheduler” probably to create some tasks with malicious purposes.Finally it creates an autostart registry key to maintain persistence.

The malware connects to the host home1[.]hades08[.]com (126.7.217.163)

We have found several samples with the same behavior and using the same filename (imbc.exe) and connecting to similar C&C servers, examples:

- home2[.]hades08[.]com (126.7.217.163)

- home3[.]hades08[.]com (126.7.217.163)

Other suspicious binaries matching the patterns we were looking for and submitted from South Korean in the last few days were:

11f6569e3453dbf2c8c392a1bf653c84e7b2dbc6d90a22936c95bf843bfcda73 -

Filename: kbs.exe

Sigcheck:

publisher…………….: nhncorp
product………………: nhncorp
internal name…………: nhncorp
file version………….: 1,0,0,0
copyright…………….: nhncorp
description…………..: nhncorp

0b445a03690cd857079577da29860c8b036f084a09885bb01499df553e3640c5

Filename: v3lite.exe

Connects to 121.156.58.135

All the files we mentioned are from the same malware family for sure, they have very similar behaviours with some slightly differences and their filenames match with the list we found in the South Korean news. Some vendors call this family Win32.Morix.

Chinese packer/language

The domain hades08[.]com was registered by smokeno@163.com a week ago.

We found the following subdomain:

ddd[.]hades08[.]com that seems to be serving a version of the Chinese Exploit Kit named GonDad:

http://urlquery.net/report.php?id=1528549

According to Google it infected the domain blogermoney[.]com

We found another website, d41[.]asdasd2012[.]com serving the GonDad exploit kit.

http://urlquery.net/report.php?id=1528774

The domain registrant for asdasd2012[.]com is also smokeno@163.com and it was registered a day after hades08[.].com

The relationship is obvious because dl[.]hades08[.]com is know pointing to the same IP address as mb[.]asdasd2012[.]com (126.7.217.163)

According to Google, the domain asdasd2012[.]com has infected 4 domains in the past 90 days including a South Korean website, appstory.co.kr.

On the other hand if we get the IP address of the C&C server for the sample with filename v3lite.exe we previously mentioned, 121.156.58.135.

Using passive DNS we can found the following subdomains of frcvb[.]com pointed to that IP in the last few days:

tt[.]frcvb[.]com A 121[.]156[.]58[.]135
aaa[.]frcvb[.]com A 121[.]156[.]58[.]135
qqq[.]frcvb[.]com A 121[.]156[.]58[.]135
ttt[.]frcvb[.]com A 121[.]156[.]58[.]135
zzz[.]frcvb[.]com A 121[.]156[.]58[.]135

The domain frcvb[.]com was registered less that a month ago.

According to Google, the domain frcvb[.]com has infected 18 domains in the past 90 days including several South Korean websites:

koreanmovie.com/

chinawoo.kr/

Other domain that we have detected in the same infrastructure is frcob[.]com and it is being used as C&C server for the same malware we previously mentioned

http://www.threatexpert.com/report.aspx?md5=1b40b1ff80738ec2fe5747a28d9726a1

As another example the following SK websites were also affected by the GonDad exploit kit hosted on frcob[.]com and frcvb[.]com:

www.knbox.com
www.keduac.co.kr
raya.co.kr
chinawoo.kr
goam.co.kr
bohumbest.net

 

Summary

The fact is we could probably show you dozens of domains hosting versions of the GonDad exploit kit, affecting South Korean websites and related with the malware  family we have been talking about.

It means that hundreds of South Korean websites are pointing to the GonDad exploit kit and probably thousands of South Korean users have been compromised and they are part of a botnet.
If the people behind yesterday’s South Korean attacks had access to some of the infrastructure we have detailed in the blog post, they could have gained access to hundreds if not thousands of South Korean systems and then they could have chosen which of the compromised systems were in interesting companies. Then they could have manually upload another payload to each of the systems and the could have performed lateral movement to own the network. Once they are in the network they can easily execute the wiping payload.
You should take into account that this is only a theory and it could even be a very small part of all the infrastructure they could have used. Maybe this is only an example and they also bought the service or access to other Exploit kits/botnets as well (Blackhole, Zeus, Koobface…).
On the other hand both the Exploit kit and the malware mentioned seems to come from China but the attackers could have bought/rent it in the black market. The addresses used to register some of the related domain names were also Chinese ones.

You can follow any responses to this entry through the RSS 2.0 You can skip to the end and leave a response. Pinging is currently not allowed.