It appears that a spear phishing campaign was the genesis for the wiper malware infections that ultimately knocked several prominent South Korean banks and broadcasters offline last week, according to a malware analysis performed by researchers from the Finnish cybersecurity firm F-Secure.
The South Korean NSHC Red Alert Team mentioned a number of malicious hashes in its official report [pdf] analyzing the incident, suggesting that these attacks were part of a larger campaign consisting of multiple operations.
Within that report was an interesting archive, whose filename translates roughly to “the customer’s account history,” that appeared to be targeting Shinhan banking clients. Shinhan was one of four banks reportedly affected last week. F-Secure noticed that the malware inside this archive used a double extension, to which it assigned an incredibly long filename in order to obscure the actual identity of the extension. F-Secure immediately recognized this as an old social engineering tactic borrowed from the age of mass-mailing-worms nearly a decade ago and determined that this particular archive was almost certainly sent as the malicious attachment in a spear phishing email.
The malware, according to F-Secure, was dated March 17, 2013, just a few days before the outages occurred. It made use of a fake Internet Explorer icon to tempt users into opening it and launched an IE lookalike page in System 32 once clicked. At least one of the payloads was time triggered dynamic link library (DLL) sample, set to execute on March 20 at 15:00.
After initiation, the malware downloaded and executed a number of files from a handful of compromised sites and makes other HTTP requests as well, either to throw off any system administrators who might be monitoring traffic logs or to download further malicious components.
The sites used in the attack had been taken offline by the time that F-Secure got a crack at it. However, an F-Secure researcher identifying himself only as “Brod” claimed that some filenames used in the attack hinted that the payloads may be DLL files while others suggested payloads may be hidden beneath the images of buttons in a URL.
The researchers looked into F-Secure’s malware collection to see if they had come across any similar wipers in the past. They didn’t find any direct matches, but there were a number of wiper components that matched the style of the ones used in this attack.
“It is interesting to note that Felix Deimel and VanDyke SSH clients as well as the RAR archive were used in the attacks,” Brod wrote in closing. “These are either third-party applications or not supported by Windows natively. Not to mention the attacks specifically wipe remote Linux and Unix based systems. All these specifics give the impression of a targeted attack.”