The researchers reported linking a number of targeted attacks hitting 11 organisations based in South Korea and two entities in China. Targets include the Sejong Institute, Korea Institute for Defense Analyses (KIDA), South Korea's Ministry of Unification, Hyundai Merchant Marine and the supporters of Korean unification.
The attacks reportedly started appearing on 3 April and use an "unsophisticated" Trojan spy program called Kimsuky. Vitaly Kamluk, chief malware expert in Kaspersky Lab's global research and analysis team, told V3 the malware is particularly interesting as it has an atypical focus on collecting Hangul Word Processor (HWP) files and includes code that disables security tools from prominent South Korean security firm, AhnLab.
“Technical analysis of the malware gives us an idea that we have encountered work of amateur virus-writers. Besides the unsophisticated spy program, which communicated with its ‘master’ via a Bulgarian public e-mail server, there are a lot of malicious programs involved in this campaign, but strangely, they each implement a single spying function,” he said.
“For example, the Kimsuky malware contains a dedicated malicious program designed for stealing HWP files. Also, there is a special module responsible only for disabling the system firewall and security tools from AhnLab, a South Korean anti-malware company. One more interesting feature of this malware is that the attackers are using a modified version of the legitimate software – the TeamViewer remote access application – to serve as a back door to get access to any files from the infected machines.“
The focus on HWP file collection indicates that the attack is bespoke designed to steal military and government documents. HWP is a common file format used by South Korean agencies, which currently use the Hancom Office bundle word processing application as opposed to Microsoft's more common Word application.
Kamluk said upon further analysis they discovered two pieces of evidence suggesting that the attack is of North Korean origin. “First of all, profiles of the targets speak for themselves – South Korean universities conducting research on international affairs and producing defence policies for government, a national shipping company, and support groups for Korean unification. Secondly – a compilation path string containing Korean words (for example, some of them could be translated as English commands ‘attack’ and ‘completion’,” he said.
He added that the firm was able to link the campaign to two email address, which appeared to originate to IP addresses within ranges of the Jilin Province Network and Liaoning Province Network in China, a region that acts as a base for internet service providers (ISPs) believed to have strong ties with North Korea.
“Third – two email addresses to which bots send reports on status and transmit infected system information via attachments – iop110112@hotmail.com and rsh1213@hotmail.com – are registered with the following ‘kim’ names: ‘kimsukyang’ and ‘Kim asdfa’,” he said.
“Even though this registration data does not provide hard data about the attackers, the source IP-addresses of the attackers fit the profile: there are 10 originating IP-addresses, and all of them lie in ranges of the Jilin Province Network and Liaoning Province Network in China. The ISPs providing internet access in these provinces are also believed to maintain lines into parts of North Korea.”
No comments:
Post a Comment