Jun25 |
9:37 am (UTC-7) | by
Marco Dela Vega (Threats Researcher) |
On Tuesday, South Korea raised the country’s cyber security alarm from level 1 to 3, because of several incidents that affected different government and news websites in South Korea. One of the several attacks related to the June 25 security incident involved the compromise of the auto-update mechanism related to the legitimate installer file SimDisk.exe, which we were able to get a sample of. SimDisk is a file-sharing and storage service.
Most software vendors’ auto-update mechanisms are intended to be non-intrusive to the user experience in order to help consumers keep their software patched and updated with the latest versions of the software. This is extremely important in preventing exploit attacks that leverage software vulnerabilities in order to perpetrate cybercrime or targeted attacks.
In the SimDisk case, the legitimate software are configured to automatically download updates from a specific website. However, this website was compromised with a modified version of the installer (detected as TROJ_DIDKR.A). The modified version drops a copy of the legitimate installer in order to simulate what should typically happen. But it actually also drops another file (also detected as TROJ_DIDKR.A), which is a malicious component that connects to a malicious location, allowing the infection chain to play out as intended.
Figure 1. Possible attack scenario
We are currently investigating this and related incidents. We currently do not have exact details about the method of compromise, but this shows that users also need to be vigilant about the security of the auto-update mechanism of the vendors they choose to trust. Software vendors should also prioritize safeguarding product servers and the overall security of their network using products, considering the impact that a compromise in this area has on their software’s users.
Trend Micro blocks all the malicious URLs related to this specific attack and also the malicious component of the compromised installer file. Trend Micro Deep Discovery helps enterprises defend their networks through network-wide visibility, insight, and control.
With additional analysis from Threat researchers Harli Aquino and Nikko Tamaña
Share this article |
|