Two message boards used by the Sanny malware as a command-and-control channel have been shut down by the Korea Information Security Agency in conjunction with security company FireEye.
Sanny is a targeted attack, attributed to attackers in Korea, against individuals working in Russia’s aerospace, IT, education and telecommunications industries. The malware spread via a rigged Microsoft Word document attached to spear phishing email. The text in the email is written in Cyrillic; the document is a decoy that drops a malicious executable and two .dll files.
The message board hosting the malicious C&C channel is a legitimate board, nboard[.]net. Previous Sanny-based attacks were communicating through pages called ecowas_1 and kbaksan_1.
“Based on the time stamps and other indicators, we believe that both samples were created and deployed at the same time,” FireEye said in a blogpost. “The attacker probably used different boards/DBs to divide victims to make sure that if one goes down he/she still can keep getting the stolen data from the remaining ones.”
Both have been shut down, FireEye said, and are no longer serving content.
The attackers had co-opted the nboard message boards, and because they did not require authentication to access them, analysts were able to see complete lists of victims and compromised machines.
“The stolen data is encoded. Upon a quick look at the malware components, we find out that it is stealing lots of different kinds of passwords/credentials from the victim’s machine,” FireEye said. Credentials for Microsoft Outlook and Hotmail accounts lifted from Firefox sessions were stored there, as were Facebook log-ins. The malware also collected demographic data from the victim, including location, IP address, domain, ISP and country of origin.
In December, FireEye said based on its evidence, it could connect the attacks to machines in South Korea. The evidence included proof the SMTP mail server and C&C channels were in Korea; the fonts used in the document were also Korean, as was the message board.
FireEye also said the attackers worked in two-day cycles at the time, logging in, collecting stolen data and then deleting it from the command and control server.
