01:14 PM
Connect Directly

How South Korean Bank Malware Spread

Attackers used stolen usernames and passwords for legitimate AhnLab Patch Manager accounts, set wiper software for staggered deletes to maximize damage.

The malware attacks that successfully compromised an estimated 32,000 South Korean systems Wednesday were distributed, at least in part, using legitimate enterprise patch management software.

Attackers used stolen usernames and passwords to access AhnLab Patch Management software running in at least some of the affected businesses. "The credentials were used to gain access to individual patch management systems located on the affected networks," read a statement released Friday by the AhnLab Security Emergency Response Center (ASEC). "Once the attackers had access to the patch management system they used it to distribute the malware much like the system distributes new software and software updates."

The resulting malware infections compromised Windows, Unix and Linux systems at South Korea's Jeju, NongHyup and Shinhan banks, as well as television broadcasters KBS, MBC and YTN. The malicious code used by attackers included "wiper" malware, with a built-in logic bomb set to begin overwriting a computer's master boot record (MBR) data at a preset time Thursday afternoon, and then rebooting, which would render the system inoperable. Some of the Trojan applications used in the attacks could also remotely wipe network-connected Unix and Linux systems.

[ South Korea back-pedals after blaming North Korea for bank hack. Read South Korea Changes Story On Bank Hacks. ]

AhnLab emphasized that when attackers accessed its patch management software, running at targeted sites, they used legitimate access credentials rather than exploiting zero-day vulnerabilities in the code or stealing or compromising any of the digital certificates the company uses to sign its code. "Contrary to early reports, no security hole in any AhnLab server or product was used by the attackers to deliver the malicious code," said AhnLab's statement.

AhnLab also cited a report that Ryou Jae Cheol, a professor of computer engineering and securities at South Korea's Chungnam National University, said that the North Korean government had launched the attack, using Chinese-developed code. In fact, Cheol -- referencing a Thursday report from the Korean Communications Commission (KCC) that the attacks had been launched via an IP address registered in China -- told Bloomberg Thursday that "discovering that the code was from China makes it more likely that the attack was from North Korea, because a lot of North Korean hackers operate there."

By Friday, however, South Korean officials changed their story, noting that they'd been "careless" to ascribe to China an IP address that was actually privately registered to South Korea's NongHyup bank. According to the KCC, at least some of the malware attacks were launched from a single NongHyup system, inside South Korea.

Many of the systems exploited in the attacks were infected with malware at least one day prior. According to research published by Trend Micro, some of the malware used in the attacks was distributed via a spear-phishing campaign that commenced on Tuesday, March 19.

But a threat researcher at security firm F-Secure, who goes by the name "Brod," said in a blog post Monday that a malicious HTML archive used in some of the South Korea attacks was created on March 17, which is three days before the logic bomb was triggered.

The malicious HTML archive claimed to be an account history for Shinhan bank customers, which was one of the businesses exploited in the attacks. "The malware inside the archive is using double extensions combined with a very long filename to hide the real extension," said Brod. "This is a common social engineering tactic that started during the era of mass-mailing worms almost a decade ago. Therefore we believe the archive is most likely sent as attachment in spear phishing e-mails."

Not all of the malware, however, was launched via spear-phishing emails. "Some variants also wipe remote systems using credentials found in configuration files of certain SSH clients installed in infected systems. Therefore an affected system can simply have one of its users, who uses a vulnerable SSH client, infected for it to get toasted," said Brod.

Attackers used software that could not only wipe Windows systems but also remotely wipe Unix and Linux systems. "Felix Deimel and VanDyke SSH clients as well as the RAR archive were used in the attacks," said Brod. "These are either third-party applications or not supported by Windows natively."

Researchers at Symantec reported Friday that they've now recovered four different types of wipers used in the attacks. One of the wipers was written as a DLL file that was injected into LSASS.exe, which is the Windows Local Security Authentication Server, while the other three are standalone position-independent executable (PIE) code.

Timing-wise, two of the wipers were instructed to immediately wipe upon execution, according to a Symantec Security Response blog post. "Another was instructed to wipe specifically at 2PM on March 20, 2013. We have recently come across another sample ... that wipes at 3PM on March 20, independent of year," the post continued.

In the wake of last week's attacks, some security researchers had suggested that the apparently scattershot list of targets may have been designed solely to cause panic. But researchers have since discovered overlapping malware that's able to wipe multiple systems, backed by redundant logic bomb timing seemingly designed to cause maximum damage. "All these specifics give the impression of a targeted attack," said F-Secure's Brod.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.