Feeds

NORKS fingered for APT on South Korean think tanks

Kaspersky says 'Kimsuky' malware driven by Pyonyang

Top three mobile application threats

Security researchers have unearthed yet another highly targeted advanced persistent threat (APT) attack, this time launched by suspected North Korean attackers against a small group of South Korean think tanks.

The Kimsuky campaign, which can be traced back to April this year, was analysed by researchers at Kaspersy Lab in a lengthy blog post on its Securelist portal.

Although pegged as an “unsophisticated” spy program communicating with its operator through a Bulgarian public email server, it attracted their attention because some of its code contained Korean script, Kaspersky Lab’s Dmitry Tarakanov wrote.

Nevertheless, the malware was described as relatively basic, containing coding errors and even traces of infection by the Viking virus.

Tarakanov said his team isn’t sure how the attacks spread but that the samples collected are consistent with the “early stage malware” usually delivered by spear phishing emails.

An initial Trojan dropper loaded more malware onto an infected machine, disabling the system firewall and any Ahn Lab firewall installed - Ahn Lab being a popular Korean security software company.

It also turned off Windows Security Center to prevent any alerts about the disabled firewall, Tarakanov said.

The package contained several modules, each performing a single function: keylogging, directory list collection, remote control access, remote control download/execution and .HWP file theft. The latter is a file format which supports Hangul script and is used in a popular South Korean word processor.

The campaign also used a modified version of the Team Viewer remote access app rather than a bespoke backdoor to nab any interesting looking files from the victim’s machine.

Kaspersky Lab suspects North Koreans behind the attack campaign for several reasons, not least because the emails registered for “drop box mail accounts” are assigned the Korean sounding names "kimsukyang" and “Kim asdfa”.

The targets are also telling, including the Korean Ministry for Unification, the Korean Institute for Defence Analysis, and non-profit the Sejong Institute.

Tarakanov added the following:

Taking into account the profiles of the targeted organisations – South Korean universities that conduct research on international affairs, produce defence policies for government, [a] national shipping company, supporting groups for Korean unification – one might easily suspect that the attackers might be from North Korea.

The targets almost perfectly fall into their sphere of interest. On the other hand, it is not that hard to enter arbitrary registration information and misdirect investigators to an obvious North Korean origin

In terms of originating IP address, ten of them used by Kimsuky operators were located in Jilin and Liaoning province, just over the North Korean border in China

“No other IP-addresses have been uncovered that would point to the attackers’ activity and belong to other IP-ranges,” Tarakanov added. “Interestingly, the ISPs providing internet access in these provinces are also believed to maintain lines into North Korea.”

If it is a North Korean APT campaign, it won’t be the first online attack launched by Pyongyang.

In March around 30,000 PCs in banks, insurance companies and TV stations were knocked out in the “Dark Seoul” attack which the South has blamed on Norks.

Seoul has even claimed that its feisty neighbour to the north has amassed a 3000-strong cyber army of highly trained hackers ready to steal military secrets and disrupt systems. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.