South Korea attacks – Analysis on how the attackers accessed the networks, by Jaime Blasco
South Korean attacks on financial institutes and the media industry : Jaime Blasco, Labs Director at AlienVault comments on how the wiper malware works and how they may have got access to the affected networks.
During the day I’ve been thinking about what have just happened in South Korea.
Earlier today we published a quick blog post about how the wiper payload works (http://labs.alienvault.com/labs/index.php/2013/information-about-the-south-korean-banks-and-media-systems-attacks/). It is a very simple piece of code that overwrites the MBR (Master Boot Record) making the affected system unable to start after reboot.
Other companies have published information about the wiper payloads but no one is giving information about how the attackers gained access to the affected networks. To execute the payload the attackers would have had to gain access to the companies somehow and execute the wiping routine at the same time in the affected computers.
If the goal of the attackers was to create panic it means they did not have a specific list of victims. From my point of view one of the easiest ways to gain access to several targets without having too much resources/skills would be:
- Buy an exploit kit and a malware kit, hack into websites and redirect victims to your malicious infrastructure.
or even better:
- Rent a botnet(s) that have access to hundreds of computers and try to find victims inside interesting targets.
We have seen in the past that large botnets like Zeus, or other financial driven botnets, had access to systems within the networks of large organizations such as Bank of America, Amazon and NASA.
Therefore, finding infected systems in Broadcasting & Cable companies in South Korea like KBS, MBC and YTN (victims of the attacks) inside fraud botnets wouldn’t be unusual or would it?
The fact is that after reading some of the Korean news about the attacks:
I found they mentioned several filenames that were involved on the attacks such as apcruncmd.exe, imbc.exe, sbs.exe, kbs.exe, Bull.exe, Sun.exe, asd.exe, 38.exe, 39.exe, Sad.exe, down.exe, v3lite.exe.
We’ve only analyzed ApcRunCmd.exe that is the payload that overwrites the MBR. If the information about the filenames is accurate enough, what about the other filenames?
Armed with patience we began the search of pieces of malware that could generate those filenames and also be related to South Korea.
The first file we found was b7c6caddb869d8c64e34478223108c605c28c7b725f4d1f79e19064cffca74fa that was submitted to VirusTotal two days ago from South Korea.
When the binary is executed, it creates the following files in the system:
- \Local Settings\Temp\1.tmp\bat.bat
The content of the bat file is shown here:
Basically, it clears the DNS cache for Internet Explorer and modifies the etc/hosts file adding new entries. When the victim resolves the South Korean bank’s domain names included in the modified “etc/hosts” file, the domains will point to 126.96.36.199.
It seems the malware is also starting the Task Scheduler service using the command “net start Task Scheduler” probably to create some tasks with malicious purposes. Finally it creates an autostart registry key to maintain persistence.
The malware connects to the host home1[.]hades08[.]com (188.8.131.52)
We have found several samples with the same behaviour and using the same filename (imbc.exe) and connecting to similar C&C servers, examples:
- home2[.]hades08[.]com (184.108.40.206)
- home3[.]hades08[.]com (220.127.116.11)
Other suspicious binaries matching the patterns we were looking for and submitted from South Korea in the last few days were:
internal name…………: nhncorp
file version………….: 1,0,0,0
Connects to 18.104.22.168
All the files we mentioned are from the same malware family for sure, they have very similar behaviours with some slight differences and their filenames match with the list we found in the South Korean news. Some vendors call this family Win32.Morix.
The domain hades08[.]com was registered by email@example.com a week ago.
We found the following subdomain:
ddd[.]hades08[.]com that seems to be serving a version of the Chinese Exploit Kit named GonDad:
We found another website, d41[.]asdasd2012[.]com serving the GonDad exploit kit.
The domain registrant for asdasd2012[.]com is also firstname.lastname@example.org and it was registered a day after hades08[.].com
The relationship is obvious because dl[.]hades08[.]com is know pointing to the same IP address as mb[.]asdasd2012[.]com (22.214.171.124)
According to Google, the domain asdasd2012[.]com has infected 4 domains in the past 90 days including a South Korean website, appstory.co.kr.
On the other hand if we get the IP address of the C&C server for the sample with filename v3lite.exe we previously mentioned, 126.96.36.199.
Using passive DNS we can found the following subdomains of frcvb[.]com pointed to that IP in the last few days:
tt[.]frcvb[.]com A 121[.]156[.]58[.]135
aaa[.]frcvb[.]com A 121[.]156[.]58[.]135
qqq[.]frcvb[.]com A 121[.]156[.]58[.]135
ttt[.]frcvb[.]com A 121[.]156[.]58[.]135
zzz[.]frcvb[.]com A 121[.]156[.]58[.]135
The domain frcvb[.]com was registered less that a month ago.
According to Google, the domain frcvb[.]com has infected 18 domains in the past 90 days including several South Korean websites:
Another domain that we have detected in the same infrastructure is frcob[.]com and it is being used as C&C server for the same malware we previously mentioned:
As another example the following SK websites were also affected by the GonDad exploit kit hosted on frcob[.]com and frcvb[.]com:
The fact is we could probably show you dozens of domains hosting versions of the GonDad exploit kit, affecting South Korean websites and related with the malware family we have been talking about.
It means that hundreds of South Korean websites are pointing to the GonDad exploit kit and probably thousands of South Korean users have been compromised and they are part of a botnet.
If the people behind yesterday’s South Korean attacks had access to some of the infrastructure we have detailed in the blog post, they could have gained access to hundreds if not thousands of South Korean systems and then they could have chosen which of the compromised systems were in interesting companies. Then they could have manually upload another payload to each of the systems and they could have performed lateral movement to own the network. Once they are in the network they can easily execute the wiping payload.
You should take into account that this is only a theory and it could even be a very small part of the entire infrastructure they could have used. Maybe this is only an example and they also bought the service or access to other Exploit kits/botnets as well (Blackhole, Zeus, Koobface…).
On the other hand both the Exploit kit and the malware mentioned seem to come from China but the attackers could have bought/rent it in the black market. The addresses used to register some of the related domain names were also Chinese ones.