Symantec researchers have been monitoring the campaign

Oct 15, 2013 09:37 GMT  ·  By

Symantec researchers have been monitoring a cyber-espionage campaign aimed mainly at South Korean organizations and executives doing business with South Korea.

According to experts, the attackers target financial and investment companies, infrastructure and development organizations, defense contractors and government agencies. The targets are located all around the world, including in Korea, Australia, Brazil and the United States.

The operation against Korea-related entities started in 2009. The cybercriminals have been using the Backdoor.Egobot Trojan, which they’ve been continually improving.

A usual attack follows four key rules: identify targets, exploit them in order to drop the malware, steal information, and remain undetected.

Once a target has been identified, the attackers use social engineering techniques to gather information. Then, spear phishing emails are utilized to trick people from inside the organization into downloading and executing a piece of malware.

The attached files can be .lnk, .doc or .hwp files. When they’re executed, a three-stage download process is triggered.

First, an obfuscated .html file is downloaded, which drops an executable on the infected computer. In turn, this executable downloads a RAR archive, which retrieves the backdoor component. The malicious files are hosted on GeoCities Japan.

The main payload is capable of performing various tasks, including recording audio and video, taking screenshots, uploading files to a remote server, obtaining a list of recent documents, searching for a certain string in files, and deleting and creating restore points.

In order to remain hidden, Egobot uses three components: a detour component that helps it masquerade as a clean process, a coordinator component that moves files and injects them into legitimate processes, and a timer functionality that commands the Trojan to delete itself after a certain date.

Symantec believes that the same cybercriminal organization is behind a more widespread and prevalent campaign that relies on Infostealer.Nemim.

Additional technical details on the Egobot campaign are available on Symantec's blog.