Header Ads

DarkSeoul Gang Behind Yesterday's Cyber Attacks on South Korea, says Symantec



Last Tuesday (June 25), a series of cyber attacks affected organizations across South Korea. Symantec has been able to attribute one of these attacks to the DarkSeoul cyber criminal gang, which has perpetrated a number of high-profile attacks on South Korea over the past four years. More details after the jump.

In addition to last Tuesday’s attacks, the DarkSeoul gang is responsible for the Jokra attacks targeting South Korean banks and television broadcasters in March and the attacks against South Korean financial companies in May. The group’s attacks tend to follow a similar pattern, including multi-staged, coordinated attacks against high-profile targets in South Korea with destructive payloads, such as hard disk wiping and DDoS attacks configured to trigger on historically significant dates.

Conducting DDoS attacks and hard disk wiping on key historical dates is not new for the DarkSeoul gang. They previously conducted DDoS and wiping attacks on the United States Independence Day as well.

Figure 1. Four years of DarkSeoul activity

The DarkSeoul gang’s attacks tend to follow similar methods of operation. Trademarks of their attacks include:

  • Multi-staged, coordinated attacks against high-profile targets in South Korea
  • Destructive payloads, such as hard disk wiping and DDoS attacks configured to trigger on historically significant dates
  • Overwriting disk sectors with politically-themed strings
  • Use of legitimate third-party patching mechanisms in order to spread across corporate networks
  • Specific encryption and obfuscation methods
  • Use of specific third-party webmailer servers to store files
  • Use of similar command-and-control structures

The attacks conducted by the DarkSeoul gang have required intelligence and coordination, and in some cases have demonstrated technical sophistication. While nation-state attribution is difficult, South Korean media reports have pointed to an investigation which concluded the attackers were working on behalf of North Korea. Symantec expects the DarkSeoul attacks to continue and, regardless of whether the gang is working on behalf of North Korea or not, the attacks are both politically motivated and have the necessary financial support to continue acts of cybersabotage on organizations in South Korea. Cybersabotage attacks on a national scale have been rare—Stuxnet and Shamoon (W32.Disttrack) are the other two main examples. However, the DarkSeoul gang is almost unique in its ability to carry out such high-profile and damaging attacks over several years.

Figure 2. Castov DDoS attack

The Castov DDoS attack occurs in the following manner:

  • Compromised website leads to the download of SimDisk.exe (Trojan.Castov), a Trojanized version of a legitimate application.
  • SimDisk.exe drops two files onto the compromised system: SimDisk.exe (Clean), the legitimate non-Trojanized version, and SimDiskup.exe (Downloader.Castov).
  • Downloader.Castov connects to a second compromised server to download the C.jpg file (Downloader.Castov), an executable file which appears to be an image.
  • Threat uses the Tor network to download Sermgr.exe (Trojan.Castov).
  • Castov drops the Ole[VARIABLE].dll file (Trojan.Castov) in the Windows system folder.
  • Castov downloads the CT.jpg file from a Web server hosting a ICEWARP webmail, that has been compromised as a result of publicly known vulnerabilities in ICEWARP. The CT.jpg file contains a timestamp used by Castov to synchronize attacks.
  • Once this time is reached, Castov drops Wuauieop.exe (Trojan.Castdos).
  • Castdos begins to overload the Gcc.go.kr DNS server with DNS requests, effectively performing a DDoS attack affecting multiple websites.

More information is available in this Symantec blog post: http://bit.ly/14ukq4o


Back to top

Top trending post

No comments:

Powered by Blogger.