Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:09 PM
Connect Directly

South Korea Attackers Set Time Bomb For Data-Destroying Malware

Spearphishing email discovered as a possible initial attack vector, malicious Android mobile clue found

More details emerged today about the genesis of the targeted attacks yesterday on South Korean banks, media outlets, and an ISP -- including a timer set for the Master Boot Record (MBR) wiper program to activate at 2 p.m. local time yesterday, a spearphishing email, and Android malware.

[Malware that wiped hard drives of infected machines and attached drives may have been built using GonDad exploit kit. See 'Loud' Data-Annihilation Cyberattacks Hit South Korean Banks, Media Outlets.]

Given that the attacks that ultimately wiped data from hard drives and attached drives on machines at three media outlets, two banks, and an ISP in South Korea occurred around that same time, researchers were initially unsure how the attackers set the initial infection trap that led to the widespread destruction. But today, Trend Micro researchers revealed that on March 19, they spotted a phishing email sent to South Korean organizations purportedly from a bank, but with a malicious attachment that contained a Trojan downloader.

The researchers say in a blog post that the MBR wiper malware that hit Windows machines was set to remain dormant until 2 p.m. South Korean time yesterday. When it was activated, it terminated specific processes, searched remote connections stored by tools mRemote and SecureCRT, and used stored root credentials to log into Linux servers and then wipe the MBR, or delete kernel and other folders.

Researchers at RSA, meanwhile, have discovered what they say may be a possible mobile app connection to the South Korea attacks; if confirmed, it would be the first major attack using mobile devices.

It started with a key exchange using an encryption module popular in Korea called XGate, akin to SSL, according to RSA. XGate 3.0 was hit by a buffer overflow attack, according to their findings. "The Korean attack appears to be a targeted attack against the popular Xgate module, wiping the master boot record and rebooting the system. This victim was using XGate to handle payment processing. Other victims across the country were likely using it for open encryption of one sort or another," writes RSA researcher "Fiedler" in a post today.

RSA traced the source IP address to Korea Telecom and to a user agent that RSA researchers had seen before -- and it belongs to an Android phone. That IP address was associated with a user agent string for an Android phone, according to RSA, associated with a previous spearphishing attack. The theory is that the South Korea attackers either used an authorized app that connected victims to an online payment site, or a buffer overflow attack on the key generation process that injected code and ultimately spread.

"Based on what we're seeing, this was a multivector attack," says Will Gragido, senior manager with RSA FirstWatch Advanced Research Intelligence.

It also demonstrates just how fragile networks really are today. "And the evidence is clear that as simple of an attack [as one] launched from a cell or tablet can have pretty significant ramifications" and it can happen anywhere, he says.

Jim Jaeger, vice president of cybersecurity services for General Dynamics Fidelis Cybersecurity Solutions, says he can't confirm just where the attacks came from or how they started, but it was likely waged via multiple sectors. "Given that the attacks involved banking, an Android connection would not be surprising. And this would be the first big mobile attack if in fact it was a primary vector," Jaegar says. "But this involved a large enough set of different targets that there were likely to be multiple attack vectors."

But the user-string agent comment studied by RSA could be spoofed, notes Satnam Narang, manager at Symantec Security Response.

Richard Henderson, a security strategist at Fortinet, says the mobile angle is interesting but may not make sense when there are simpler infection techniques. "The idea itself isn't far-fetched, though: an attacker launching an attack via an Android phone. But honestly, it makes no sense to go to the effort when it's easier to just go the exploit pack route, which clearly works and works well," Henderson says. "Nothing's come across internally [here] to attribute this attack to anything with a mobile angle."

Meanwhile, there may be other victims or organizations that were able to repel the attacks, General Dynamics' Jaeger says. "The other interesting question is whether we will get indications over the next week or two if some companies were successful in foiling these attacks," he says. "I suspect these [banks and media firms] were not the only victims."

Meanwhile, South Korean officials today said the attacks came from an IP address in China, according to a report today from CNN.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-20
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.
PUBLISHED: 2019-08-20
Webmin 1.890, in a default installation, contains a backdoor that allows an unauthenticated attacker to remotely execute commands. This is different from CVE-2019-15107. NOTE: as of 2019-08-19, the vendor reports that "at some point" malicious code was inserted into their build infrastruct...
PUBLISHED: 2019-08-20
Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors.