South Korea has not been too far from media attention lately, with reports of cyberattacks involving zero-day vulnerabilities, banking Trojans, gaming Trojans, back doors and distributed denial-of-service (DDoS) attacks targeting the nation. Symantec has uncovered a recent attack campaign revolving around Downloader.Tandfuy that incorporates all of these elements.
In a recent Symantec blog entitled ‘New Internet Explorer Zero-day Targeted in Attacks Against Korea and Japan’, Symantec covered the use of the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3897) in attacks against South Korea. Our research into this campaign has shown that the attacker has previously used different exploits in recent attacks against South Korea. Furthermore, we have found that this attack has been part of a sustained campaign against South Korea since early September 2013. These attacks involved a whole host of different malcode threats which featured Downloader.Tandfuy for starters, followed by a dose of Trojan.Sequendrop, Backdoor.Ghostnet, Trojan.Chost and Infostealer.Gampass.
Figure. Anatomy of the Tandfuy cyberattacks targeting South Korea
Visit to a blogging website could result in a nasty surprise
The latest attack began with a victim visiting a popular South Korean blogging website that contained exploit code for the zero-day vulnerability CVE-2013-3897, along with additional code to check if the visitors’ computer is using either the Korean or Japanese language. If neither language was found, the attack would stop at this point. If the targeted languages were found, the exploit would run and the attack would be initiated with the download of Downloader.Tandfuy. Previously, Symantec had observed Downloader.Tandfuy being distributed in South Korea as a result of the use of another recent exploit for the Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-1347). In both cases, Downloader.Tandfuy would subsequently download Trojan.Sequendrop, which would drop additional threats consisting of either Backdoor.Ghostnet, Trojan.Chost or Infostealer.Gampass.
Backdoor.Ghostnet is a commonly seen threat that we covered back in 2009 in our blog: ‘Ghostnet Toolset—Back Door at the Click of a Button’. While the use of this threat has been associated with espionage in the past, it is a remote access Trojan (RAT) known as Gh0st RAT, which is now freely available for anyone to download from the Internet.
Trojan.Chost is a threat that modifies the host file on a compromised computer to redirect DNS websites requests to different sites. In this case, the host file is modified to redirect several South Korean banking sites to the attacker’s site (IP address 18.104.22.168 or 22.214.171.124). At the time of analysis, we were unable to determine what further actions took place after the South Korean banking websites were redirected to the attacker’s site. The attacker’s motivation for redirecting the websites was possibly to conduct some form of phishing attack for online banking credentials.
The last threat dropped by Trojan.Sequendrop is Infostealer.Gampass, a threat that, as the name suggests, is used for stealing online gaming credentials. Interestingly, several media sites recently ran stories about 16 websites in South Korea coming under a DDoS attack. Symantec’s analysis of the latest Infostealer.Gampass sample, which was found to be used in this attack around that time, shows that it periodically reaches out to the 16 websites that the media said were under DDoS attack. The malware contacted these 16 websites in an attempt to download a file called djdjdava.jpg. This file is actually an executable disguised as an image file and has been seen to be either an updated version of Downloader.Tandfuy or Infostealer.Gampass. Research also found that most of the sites contacted were decoy sites that did not host the file. This activity by Infostealer.Gampass could possibly relate to the reported DDoS attack, as it may have been misinterpreted by some as being a DDoS attack against the websites.
Totally focused on South Korea
Symantec telemetry still shows continued activity related to this attack campaign. However, at this time, the main command-and-control server is no longer responding. Symantec telemetry also clearly shows that the attack has a laser-like focus on South Korea, as more than 99 percent of attacks were reported from South Korea with only incidental numbers reported from other regions.
The use of a zero-day vulnerability in similar attacks of this kind is nearly unheard of and shows that the attacker in this case has a certain level of sophistication. As several different types of malware were used in this attack campaign, the attacker’s exact goals are unclear, but they may have been motivated by financial gains. While cyberattacks against South Korea generally lead to media speculation of some kind of state-sponsored attacks, given the activities seen here, attribution for this attack is more likely to come from cybercriminality.
Symantec is continuing to monitor the activities related to this attack campaign. To stay protected, we recommend that users keep their systems up-to-date with the latest software patches. We also advise customers to use the latest Symantec technologies and incorporate the latest Norton consumer and Symantec enterprise solutions to best protect against attacks of this kind.