South Korea Attackers Set Time Bomb For Data-Destroying Malware

More details emerged today about the genesis of the targeted attacks yesterday on South Korean banks, media outlets, and an ISP -- including a timer set for the Master Boot Record (MBR) wiper program to activate at 2 p.m. local time yesterday, a spearphishing email, and Android malware.

[Malware that wiped hard drives of infected machines and attached drives may have been built using GonDad exploit kit. See 'Loud' Data-Annihilation Cyberattacks Hit South Korean Banks, Media Outlets.]

Given that the attacks that ultimately wiped data from hard drives and attached drives on machines at three media outlets, two banks, and an ISP in South Korea occurred around that same time, researchers were initially unsure how the attackers set the initial infection trap that led to the widespread destruction. But today, Trend Micro researchers revealed that on March 19, they spotted a phishing email sent to South Korean organizations purportedly from a bank, but with a malicious attachment that contained a Trojan downloader.

The researchers say in a blog post that the MBR wiper malware that hit Windows machines was set to remain dormant until 2 p.m. South Korean time yesterday. When it was activated, it terminated specific processes, searched remote connections stored by tools mRemote and SecureCRT, and used stored root credentials to log into Linux servers and then wipe the MBR, or delete kernel and other folders.

Researchers at RSA, meanwhile, have discovered what they say may be a possible mobile app connection to the South Korea attacks; if confirmed, it would be the first major attack using mobile devices.

It started with a key exchange using an encryption module popular in Korea called XGate, akin to SSL, according to RSA. XGate 3.0 was hit by a buffer overflow attack, according to their findings. "The Korean attack appears to be a targeted attack against the popular Xgate module, wiping the master boot record and rebooting the system. This victim was using XGate to handle payment processing. Other victims across the country were likely using it for open encryption of one sort or another," writes RSA researcher "Fiedler" in a post today.

RSA traced the source IP address to Korea Telecom and to a user agent that RSA researchers had seen before -- and it belongs to an Android phone. That IP address was associated with a user agent string for an Android phone, according to RSA, associated with a previous spearphishing attack. The theory is that the South Korea attackers either used an authorized app that connected victims to an online payment site, or a buffer overflow attack on the key generation process that injected code and ultimately spread.

"Based on what we're seeing, this was a multivector attack," says Will Gragido, senior manager with RSA FirstWatch Advanced Research Intelligence.

It also demonstrates just how fragile networks really are today. "And the evidence is clear that as simple of an attack [as one] launched from a cell or tablet can have pretty significant ramifications" and it can happen anywhere, he says.

Jim Jaeger, vice president of cybersecurity services for General Dynamics Fidelis Cybersecurity Solutions, says he can't confirm just where the attacks came from or how they started, but it was likely waged via multiple sectors. "Given that the attacks involved banking, an Android connection would not be surprising. And this would be the first big mobile attack if in fact it was a primary vector," Jaegar says. "But this involved a large enough set of different targets that there were likely to be multiple attack vectors."

But the user-string agent comment studied by RSA could be spoofed, notes Satnam Narang, manager at Symantec Security Response.

Richard Henderson, a security strategist at Fortinet, says the mobile angle is interesting but may not make sense when there are simpler infection techniques. "The idea itself isn't far-fetched, though: an attacker launching an attack via an Android phone. But honestly, it makes no sense to go to the effort when it's easier to just go the exploit pack route, which clearly works and works well," Henderson says. "Nothing's come across internally [here] to attribute this attack to anything with a mobile angle."

Meanwhile, there may be other victims or organizations that were able to repel the attacks, General Dynamics' Jaeger says. "The other interesting question is whether we will get indications over the next week or two if some companies were successful in foiling these attacks," he says. "I suspect these [banks and media firms] were not the only victims."

Meanwhile, South Korean officials today said the attacks came from an IP address in China, according to a report today from CNN.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.