Command and Control Used in Sanny APT Attacks Shut Down

Two message boards used by the Sanny malware as a command-and-control channel have been shut down by the Korea Information Security Agency in conjunction with security company FireEye.

Two message boards used by the Sanny malware as a command-and-control channel have been shut down by the Korea Information Security Agency in conjunction with security company FireEye.

Sanny is a targeted attack, attributed to attackers in Korea, against individuals working in Russia’s aerospace, IT, education and telecommunications industries. The malware spread via a rigged Microsoft Word document attached to spear phishing email. The text in the email is written in Cyrillic; the document is a decoy that drops a malicious executable and two .dll files.

The message board hosting the malicious C&C channel is a legitimate board, nboard[.]net. Previous Sanny-based attacks were communicating through pages called ecowas_1 and kbaksan_1.

“Based on the time stamps and other indicators, we believe that both samples were created and deployed at the same time,” FireEye said in a blogpost. “The attacker probably used different boards/DBs to divide victims to make sure that if one goes down he/she still can keep getting the stolen data from the remaining ones.”

Both have been shut down, FireEye said, and are no longer serving content.

The attackers had co-opted the nboard message boards, and because they did not require authentication to access them, analysts were able to see complete lists of victims and compromised machines.

“The stolen data is encoded. Upon a quick look at the malware components, we find out that it is stealing lots of different kinds of passwords/credentials from the victim’s machine,” FireEye said. Credentials for Microsoft Outlook and Hotmail accounts lifted from Firefox sessions were stored there, as were Facebook log-ins. The malware also collected demographic data from the victim, including location, IP address, domain, ISP and country of origin.

In December, FireEye said based on its evidence, it could connect the attacks to machines in South Korea. The evidence included proof the SMTP mail server and C&C channels were in Korea; the fonts used in the document were also Korean, as was the message board.

FireEye also said the attackers worked in two-day cycles at the time, logging in, collecting stolen data and then deleting it from the command and control server.

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.

Discussion

  • Ernst Chris Westergren on

    Do you offer protection for private individuals?

  • Anonymous on

    Protection for private indivuduals, what do you mean?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.