Posted
At Cyber Squared, we understand that many targeted, government sponsored or sanctioned attacks can be directly tied to current geopolitical events. Keeping the recent instability of the Korean Peninsula in mind, and the fact that the Chinese Communist Party has a vested interest in Korean affairs, we have kept our eyes and ears ready for open source threat intelligence on new cyber attacks aimed at South Korean (RoK) or North Korean (DPRK) entities. We have identified at least three recent attacks that we believe are specifically targeting entities in the RoK, and have also found initial evidence of possible driveby download attacks on an official North Korean website.
Example One: HeartBeat Related Malware
On March 11, 2013, we identified a ThreatExpert report that appeared to be highly targeted and likely spearphished to individuals in the Korean government or higher education. The malware analyzed appears to drop a decoy PDF document with an unidentified characters set within the filename and opens it within Adobe Reader.
The malware simultaneously drops a backdoor executable (C24A83645C5BB4005CBAF2DF3BFDF4E5) to C:WindowsTasksAcroRd32.exe
This small backdoor executable then connects to a dynamic DNS command and control (C2) server at www.snu.ac.kr[.]passas[.]us on TCP/5004. This C2 domain is clearly spoofing the legitimate website of Seoul National University. This sample of malware appears to be a variant of the probable Chinese APT remote access threat that Trend Micro researched within their HeartBeat APT report from January 2013. We also found other domains under passas.us that were clearly targeting other high profile and highly sensitive RoK entities. For example, the domain www.swc.mil.kr[.]passas[.]us appears to be impersonating the website of Korea’s Special Warfare Command, which is the Republic’s equivalent of U.S. Special Operations Command (USSOCOM). If these attackers successfully targeted the RoK SWC, or affiliated entities, they would likely have access to candid insights as well as sensitive tactical intelligence that could serve as a force multiplier when evaluating the Republic’s rapid response and special operations capabilities in the event of a conflict with the North.
Additionally, we identified the RoK’s National Intelligence Service (NIS) as a possible target from the domain nis.myfw[.]us, which resolves to the same IP at 67.208.74.71 (Herndon, Virginia) and the same controller as the swc.mil.kr.passas[.]us C2 domain. These attackers may be attempting to retrieve sensitive details of South Korean intelligence collection operations as well as the NIS’s analysis of North Korean topics.
Example Two: Korean News Media Threats
As we reported in February, after the New York Times and other media organizations disclosed details of state sponsored intrusions, threat groups also targeted individuals and affiliates in RoK news services. In another recent ThreatExpert analysis, we saw that a file of unknown origin was attempting to drop a Hangul Word Processor (.HWP) document, and then download an executable backdoor from a server in Korea. Hangul Word Processor is a Korean language software equivalent of Microsoft Word developed by Hancom. Since ThreatExpert is an American service that does not have the Hangul word processing program installed, the analysis system displayed an error message when attempting to open the .hwp file.
The dropper connects to an IP at 216.83.43[.]226 (Aptos, California) on TCP/8000, also downloading an executable from hXXp://www.castnet.co[.]kr/etn/etnews.gif that connects back to etnews.goodcosy[.]com on TCP/443. This C2 domain is almost certainly impersonating the Korean Electronic Times website. We also found a similar backdoor had been submitted to ThreatExpert on November 13, 2012 that connected to khan.goodcosy[.]com on TCP/443. This particular C2 domain is spoofing the Kyunghyang Shinmun, a Korean newspaper, as indicated in this registry value created by the malware.
Yet another similar backdoor showed up in a McAfee virus description dated January 31, 2013 that used C2 at hankyung.goodcosy[.]com, in this instance spoofing the Korea Economic Daily.
We believe that this malware could be targeting South Korean news agencies and journalists. The use of C2 domains impersonating news sites and the dropped HWP document is highly suggestive of targeted spearphishing. The attackers are probably after information relating to South Korean sentiments and intentions regarding the continued “sabre rattling” emanating from Pyongyang in recent weeks. The individual targeted journalists likely have access to “off the record” sensitive but unclassified data and sentiments that would be of high value to China and North Korea.
Example Three: Driveby Attack on Korean Military Top Brass
We recently observed a driveby attack that used Internet Explorer (IE) and Java exploits to infect current and former South Korean military users. Specifically, we found that the website of the Korean Retired Generals and Admirals Association has been hosting and redirecting vulnerable users to multiple browser based exploits.
On March 12, 2013, the website was submitted to Jsunpack. The site contained a malicious JavaScript that checks browser version and plugins, loading exploits at:
- hXXp://www.3dvideo[.]ru/new/dvd/h/hwpjava.html (Java)
- hXXp://www.3dvideo[.]ru/new/dvd/h/hwp.html (IE CVE-2012-4792)
The Java exploit page loads one of two JAR files depending on the Java version: AppletHigh.jar (CVE-2013-0422) or AppletLow.jar (CVE-2011-3544).
This specific tandem Java exploit configuration has also been in use with many other targeted Chinese drivebys since the start of 2013.
Meanwhile, for users of Internet Explorer, the exploit at hwp.html uses a Flash SWF heap spray file at hXXp://www.3dvideo[.]ru/new/dvd/h/logo1229.swf to launch the CVE-2012-4792 exploit and decode the payload from JavaScript. This variation of the IE exploit is also a repeat of the code used in other recent driveby attacks.
The payload for both Java exploits and the IE exploit is the same file. This malware is a downloader that requests a PHP webpage at www.3dvideo[.]ru/new/3d/d/hwp.php. The server side PHP script displays a fake “Page Not Found!” message while actually containing encoded data that is then downloaded to the machine as a Poison Ivy backdoor that connects to a dynamic DNS C2 domain at k.tc.ikwb[.]com. This downloader malware variant was previously used as the payload of attacks involving the Reporters Without Borders website in January 2013.
Interestingly, a separate IE exploit (CVE-2010-0806) is also present on the hacked Korean website at /popup/star_pop060801.html. This exploit downloads payload and configuration files from the following locations on a legitimate site:
- hXXp://lifeinfo365[.]com/images/main/main_com.inf (Not Present as of 2013/03/16)
- hXXp://lifeinfo365[.]com/images/main/main_com.gif (DLL Payload)
The DLL payload from main_com.gif most likely requires the INF file to identify the C2, as we did not observe any connection attempts made only by the DLL.
The ability for these attackers to infect and spy on current and former South Korean military officers would give them distinct and candid insights into the thoughts and intentions of the greater RoK military and government. Perhaps the attackers (most likely China and possibly North Korea) have already gained additional understanding of how the South would react to overt North Korean aggression. Perhaps these nations have already made changes to their diplomatic strategy as a result of access to this information. To think that these insights would be made possible by a few lines of code on a compromised website should give all potential target users and stakeholders more reason to take cyber security seriously, especially during times of increased tension.
Example Four: Possible Naenara Compromise
On March 14, multiple western news agencies reported that the North Korean DPRK government was accusing the United States and South Korea of launching Denial-of-Service (DoS) attacks that had knocked websites offline and caused problems with North Korea’s Koryolink service. Although we cannot confirm that North Korean websites were offline at the time, we have found evidence of a recent compromise on www.naenara.com[.]kp, one of the relatively few official DPRK websites. Since March 15, 2013, Google Safebrowsing has flagged the site as malicious.
The Safebrowsing report states that malware was found on 18 out of 5726 webpages tested on the site. This small fraction of pages suggests that the attackers have specific objectives in mind. The report also states that “malicious software is hosted on 3 domain(s), including zief[.]pl, ecpage.sakura.ne[.]jp, chura[.]pl.” It appears that the site has been strategically compromised with exploits. However, until we pinpoint the exact locations of the malware or obtain additional datapoints, we cannot make any firm or speculative conclusions regarding who is behind this attack.
Conclusion:
Throughout this period of increased political instability within the Korean Peninsula, Cyber Squared continues to identify evidence that South Korea is being persistently targeted. We assess with moderate to high confidence that this activity is the work of multiple Chinese threat groups, perhaps even acting on behalf of North Korea. Although no direct evidence suggests that this is the work of a North Korean cyber threat group, the North Koreans would be likely benefactors of the potential insights obtained from these activities. Additionally, we have observed initial evidence that an official North Korean web portal has been compromised with possible browser based exploits. In aggregate, all of these activities correlate with a rough patch in inter-Korean relations and a critical time for China to reevaluate its relationship with both Koreas. We have shared details of these threats within Incident “20130318A: Tale of Two Koreas Blog” to our ThreatConnect.com community. We will continue to diligently monitor both the geopolitical and information security developments that involve the two Koreas.