Professional Documents
Culture Documents
Chris Doman
TLP White version
Early Reports - Nothing solid here
2004
News reports that Wifi networks used by Republic of Korea Army during joint US exercises
News reports that institutions including the National Assembly, Atomic Energy & Defense Research institutions are compromised.
2006
News reports of compromise of US and South Korean military organisations
2007
March 2007 - News reports of compromise by NK of stealing information on toxic chemicals and response plans from Ministry of
Environment.
Same month as the first Operation Troy samples *likely* come from.
2007+ Operation Troy - Military Espionage
Lots of variants and primarily seen in espionage attacks against military
Initially IRC communications, later HTTP
Disclosed by McAfee in 2013
March 7, 2007 - Probably development of first generation malware used in “Operation Flame”
Later closely related malware in “Operation 1Mission”, “Operation Troy”, and the DarkSeoul wiper 2013
attacks.
D:\VMware\eaglexp(Backup)\...BsDll.pdb
E:\Tong\Work\Op\1Mission\Team_Project\[2012.6~]\HTTP Trojan 2.0\HttpDr0pper\ Win32\Release
E:\Work\BackUp\2011\nstar_1103\BackDoor\BsDll-up\Release\BsDll.pdb
Z:\1Mission\Team_Project\ [2012.6~]\HTTP Troy\HttpDr0pper\Win32\Release
Z:\source\1\HttpTroy\BsDll-up\Release\BsDll.pdb
Z:\Work\Make Troy\Concealment Troy...
Lots of links
Lots of code re-use, a single xor key (dkwero38oerA^t@#) links up most of the operations
Three waves (July 4 - July 7 - July 9) of DDoS attacks, different sites each time.
April - There were also reports of later attacks against Nonghyup bank from a compromised PC of a
contractor
Websites included:
• ahnlab.com
• airforce.mil.kr
• army.mil.kr
• assembly.go.kr
• ...
2012 June
2012 JoongAng Newspaper Data Theft
2013 March - Jokra DDoS and Wiper Attacks
- Two banks, three TV stations shut down
- Wipes MBR and all files with “PRINCIPES” or “HASTATI.”
- Infection via email, patch management systems
2013 March - LG
2013 June - Castov DDoS and Wiper attacks
- DDoS Distributed via compromised auto-update mechanism from a
file-storage software called SimDisk.
- Used Tor for command and control.
- DDoS of gcc.go.kr DNS server
- DiskWiper (KorHigh)
2013 June - Websites defaced on both sites...
Lots of links between various “Dark Seoul” attacks
- Overlaps between various DDoS / Wiper attacks discussed by Symantec
- Links to later Sony / Lazarus attacks in “Seoul to Sony”
2014 - Reports of continued attacks
March - Reports that Seoul Metro was compromised
- See Kaspersky “Chasing the Bad Guys from Bangladesh to Costa Rica”
2017 - More activity for monetary gain
- Mining cryptocurrency on compromised hosts
E:\Data\MyProjects\TroySourceCode\tcp1st\rifle\Release\rifle.pdb - Simple
backdoor
E:\Data\MyProjects\TroySourceCode\tcp1st\sniffer-Copy\Release\dll_like_ex
e.pdb - Sniffer
E:\Data\MyProjects\TroySourceCode\tcp1st\server\Release\server.pdb -
Server side
2015 November - Rifle - Spearphishing Defense
- Themed around ADEX exhibition, targeted defense companies
2016+ - Andariel (Rifle & Phandoor?)
2016 March - SK Group, Hanjin, Korea Airline, KT - Rifle Malware
- Reportedly over 1TB of files stolen, 140k machines across 27 companies infected
- Vulnerability in TCO!Stream - Asset Management System.
2016 August - South Korean Ministry of National Defense (Cyber Command) - Phandoor malware
- 3000 hosts compromised, 700 on military intranet
Many of these details from talks by Kyoung-Ju Kwak, Moonbeom Park, Ashley Shen)
2016+ - Andariel (Rifle & Phandoor)
2017 March - ATM service provider
- Compromised internal network with antivirus update server
- Connected to same C2 as samples in the MND compromise
- sample_atm.exe(MD5): 4C9A343510E9B1F78E98DDC455E9AB11
- java.exe(MD5): 5C3F89ABFA560DECECF1B46994290D3F
- javaupdate.exe(MD5): 34FD02BE8006614F7B1BAE4D453E19F4
- sample_atm.exe(MD5): 492AE026C41D516F107055E0487BE328
- See https://kkomak.wordpress.com/2017/03/22/atm-%EB%A9%80%EC%9B%A8%EC%96%B4/ , SAS talk
- Removed
Lots of overlaps
- See "Silent Rifle" by Kyoung-Ju Kwak
Kimsuky - 2013+
Troy
E:\WORK\BackUp\2011\nstar_1103\BackDoor\BsDll-up\Release\BsDll.pdb
- Removed
How might you group all this together?
- From secondary sources (a.k.a “other people’s work”) with some quick checks
- What do you think? :)
Kaspersky saw “2017-01-18 11:12: Testing bot from 175.45.xxx.xxx” from C2 server logs
Group IB saw backend infrastructure controlled by 175.45.178.222 via
They also reference a South Korean TV report referencing a NK IP in the same /24
Is it from this?
Serving Adobe Flash Exploit CVE-2014-0515:
Windows XP Firefox
What about WannaCry (oh god no!)
No need to cover this. But a couple of quick notes...
- Lots of other worms bouncing around since 2009
- Cryptocurrency seems relevant
- Multiple code overlaps is a common feature in tracking activity
A tool for finding overlaps
Filtering down:
- All hex patterns that start with 558B etc. function prologs
- Remove whitelisted, from 100 GB of “clean files”
- Remove patterns that that appear in a single family of lazarus malware
- Manually prune packers, unrelated malware - The hard bit
- End up with - ~ 250 yara rules for compiled functions that are in multiple families
Results are “ok”
37 samples from a retrohunt of 62 TB of files.