01:14 PM
Connect Directly

How South Korean Bank Malware Spread

Attackers used stolen usernames and passwords for legitimate AhnLab Patch Manager accounts, set wiper software for staggered deletes to maximize damage.

The malware attacks that successfully compromised an estimated 32,000 South Korean systems Wednesday were distributed, at least in part, using legitimate enterprise patch management software.

Attackers used stolen usernames and passwords to access AhnLab Patch Management software running in at least some of the affected businesses. "The credentials were used to gain access to individual patch management systems located on the affected networks," read a statement released Friday by the AhnLab Security Emergency Response Center (ASEC). "Once the attackers had access to the patch management system they used it to distribute the malware much like the system distributes new software and software updates."

The resulting malware infections compromised Windows, Unix and Linux systems at South Korea's Jeju, NongHyup and Shinhan banks, as well as television broadcasters KBS, MBC and YTN. The malicious code used by attackers included "wiper" malware, with a built-in logic bomb set to begin overwriting a computer's master boot record (MBR) data at a preset time Thursday afternoon, and then rebooting, which would render the system inoperable. Some of the Trojan applications used in the attacks could also remotely wipe network-connected Unix and Linux systems.

[ South Korea back-pedals after blaming North Korea for bank hack. Read South Korea Changes Story On Bank Hacks. ]

AhnLab emphasized that when attackers accessed its patch management software, running at targeted sites, they used legitimate access credentials rather than exploiting zero-day vulnerabilities in the code or stealing or compromising any of the digital certificates the company uses to sign its code. "Contrary to early reports, no security hole in any AhnLab server or product was used by the attackers to deliver the malicious code," said AhnLab's statement.

AhnLab also cited a report that Ryou Jae Cheol, a professor of computer engineering and securities at South Korea's Chungnam National University, said that the North Korean government had launched the attack, using Chinese-developed code. In fact, Cheol -- referencing a Thursday report from the Korean Communications Commission (KCC) that the attacks had been launched via an IP address registered in China -- told Bloomberg Thursday that "discovering that the code was from China makes it more likely that the attack was from North Korea, because a lot of North Korean hackers operate there."

By Friday, however, South Korean officials changed their story, noting that they'd been "careless" to ascribe to China an IP address that was actually privately registered to South Korea's NongHyup bank. According to the KCC, at least some of the malware attacks were launched from a single NongHyup system, inside South Korea.

Many of the systems exploited in the attacks were infected with malware at least one day prior. According to research published by Trend Micro, some of the malware used in the attacks was distributed via a spear-phishing campaign that commenced on Tuesday, March 19.

But a threat researcher at security firm F-Secure, who goes by the name "Brod," said in a blog post Monday that a malicious HTML archive used in some of the South Korea attacks was created on March 17, which is three days before the logic bomb was triggered.

The malicious HTML archive claimed to be an account history for Shinhan bank customers, which was one of the businesses exploited in the attacks. "The malware inside the archive is using double extensions combined with a very long filename to hide the real extension," said Brod. "This is a common social engineering tactic that started during the era of mass-mailing worms almost a decade ago. Therefore we believe the archive is most likely sent as attachment in spear phishing e-mails."

Not all of the malware, however, was launched via spear-phishing emails. "Some variants also wipe remote systems using credentials found in configuration files of certain SSH clients installed in infected systems. Therefore an affected system can simply have one of its users, who uses a vulnerable SSH client, infected for it to get toasted," said Brod.

Attackers used software that could not only wipe Windows systems but also remotely wipe Unix and Linux systems. "Felix Deimel and VanDyke SSH clients as well as the RAR archive were used in the attacks," said Brod. "These are either third-party applications or not supported by Windows natively."

Researchers at Symantec reported Friday that they've now recovered four different types of wipers used in the attacks. One of the wipers was written as a DLL file that was injected into LSASS.exe, which is the Windows Local Security Authentication Server, while the other three are standalone position-independent executable (PIE) code.

Timing-wise, two of the wipers were instructed to immediately wipe upon execution, according to a Symantec Security Response blog post. "Another was instructed to wipe specifically at 2PM on March 20, 2013. We have recently come across another sample ... that wipes at 3PM on March 20, independent of year," the post continued.

In the wake of last week's attacks, some security researchers had suggested that the apparently scattershot list of targets may have been designed solely to cause panic. But researchers have since discovered overlapping malware that's able to wipe multiple systems, backed by redundant logic bomb timing seemingly designed to cause maximum damage. "All these specifics give the impression of a targeted attack," said F-Secure's Brod.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.