For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its ?master? via a public e-mail server. This approach is rather inherent to many amateur virus-writers.
However, there were a few things that attracted our attention:
The public e-mail server in question was Bulgarian - mail.bg.The compilation path string contained Korean hieroglyphs.The complete path found in the malware presents some of the Korean strings:
D:\rsh\??\UAC_dll(??)\Release\test.pdbThe ?rsh? word, by all appearances, means a shortening of ?Remote Shell? and the Korean words can be translated in English as ?attack? and ?completion?, i.e.:
D:\rsh\ATTACK\UAC_dll(COMPLETION)\Release\test.pdbWe managed to identify several targets. Here are some of the organizations that the attackers were interested in targeting:
??????????????????????????????The Sejong Institute is a non-profit private organization for public interest and a leading think tank in South Korea, conducting research on national security strategy, unification strategy, regional issues, and international political economy.??????????????????????????????Korea Institute For Defense Analyses (KIDA)??????????????????????????????KIDA is a comprehensive defense research institution that covers a wide range of defense-related issues. KIDA is organized into seven research centers: the Center for Security and Strategy; the Center for Military Planning; the Center for Human Resource Development; the Center for Resource Management; the Center for Weapon Systems Studies; the Center for Information System Studies; and the Center for Modeling and Simulation. KIDA also has an IT Consulting Group and various supporting departments. KIDA's mission is to contribute to rational defense policy-making through intensive and systematic research and analysis of defense issues.????????????????????????????????????????????????????????????The Ministry of Unification is an executive department of the South Korean government responsible for working towards the reunification of Korea. Its major duties are: establishing North Korea Policy, coordinating inter-Korean dialogue, pursuing inter-Korean cooperation and educating the public on unification.????????????????????????????????????????????????????????????Hyundai Merchant Marine is a South Korean logistics company providing worldwide container shipping services.??????????????????????????????Some clues also suggest that computers belonging to ?The supporters of Korean Unification? (http://www.unihope.kr/) are also compromised. Among other organizations we counted, 11 are based in South Korea and two entities reside in China.
There are a lot of minimal malicious programs involved in this campaign but, strangely, they each implement a single spying function. We were able to find basic libraries that are responsible for common communication with campaign master and additional modules performing the following functions:
Keystroke loggingDirectory listing collectionHWP document theftRemote control download and executionRemote control access
No comments:
Post a Comment