South Korean Attack & Malware Analysis

[thehat]

On March 20th an attack that brought down three major media broadcasters and at least two financial institutions computer systems in South Korea was launched. The Red Alert team which is part of NSHC Security has provided access to their ongoing reports of the malware attack (PDF – Korean).

The attack was first detected on March 20, 2013 around 2:20PM (UTC+9) South Korean broadcasters KBS, MBC and YTN as well as three banks, (????) Jeju, (????) Nonghyup (Bank and Insurance) and (????) Shinhan all reported having their computer networks knocked offline after PCs were infected by data-deleting malware believed to have spread from update servers on the network.

MBR & VMR Corruption

From several samples of the malware and logs it has been found that the malware was designed to corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR). Once the corruption has taken place the system reboots leaving the system unusable as the MBR is missing .

Remote Server Access & Wipe Attempt

In addition to corrupting the MBR on the target system, an executable (vti-rescans.exe) checks for the existence of remote management tools for Linux/Unix servers (Felix Deimel, mRemote, VanDyke, SecureCRT) and pulls remote connection configuration information including host name, username and password and uses this to make a connection via Putty console (alg.exe) or SCP (conime.exe) to execute commands on the remote system. A temporary file ~pr1.tmp is created which contains the shell script to execute which attempts to wipe all data from remote system.

Malware Flow

First the initial file is dropped onto the system which checks for the existence of remote configuration files, then creates and executes additional files. The next phase of the attack is where the MBR is corrupted after no remote connection information is found.

Security Software Process Kill

In an attempt to block attempts by security software to terminate the malicious payload, the malware kills the processes of two popular anti-virus products, both AhnLab Policy Agent (pasvc.exe) and ViRobot ISMS (clisvc.exe).

Malware Files

So far the files involved in the attack as as follows:

File Name: ApcRunCmd_DB4BBDC36A78A8807AD9B15A562515C4.exe

MD5: db4bbdc36a78a8807ad9b15a562515c4

File Type: Win32 EXE

File Name: OthDown.exe

MD5: 5fcd6e1dace6b0599429d913850f0364

File Type: Win32 EXE

File Name: AmAgent.exe

MD5: 5fcd6e1dace6b0599429d913850f0364

FileType: Win32 EXE

File Name: vti-rescan.exe

MD5: 9263e40d9823aecf9388b64de34eae54

File Type: Win32 EXE

Attack Source

The media has made a number of speculations and assumptions regarding the origins of the attack, as well as the purpose and intent of the attackers, none of which have been substantiated by evidence. There were some reports that the malware attack was related to a site defacement of LG U+ by a group claiming to be called the”Whois” team, but no evidence exists at this time to link to the two, aside from the two incidents occuring at roughly around same time.

Thank you to NSHC Red Team for providing ongoing detailed reports and excellent analysis of the malware involved.

Sursa: South Korean Attack & Malware Analysis : The State of Security