Experts Study Malware Used in South Korean Attacks

North Korea is the main suspect, but this could also be the work of other hackers

By on March 21st, 2013 07:59 GMT

A lot of reports are flowing in regarding the recent cyberattacks against several South Korean TV networks and financial institutions.

First of all, experts from a number of security firms, including Sophos and Symantec, have analyzed the piece of malware that has been used to disrupt all those systems.

Sophos reports that the malware – Mal/EncPk-ACE, which the firm dubs DarkSeoul – is not sophisticated at all. The company’s products have been detecting it for almost a year now.

While the lack of sophistication might indicate that this isn't a state-sponsored attack, the fact that the malware is designed to disable two popular South Korean antivirus solutions – AhnLab and Hauri AV – supports the idea of a targeted attack.

According to Symantec’s technical analysis of the malicious element, which the company dubs Trojan.Jokra, one of the malware’s components is capable of wiping data from devices that run a Linux operating system.

“The dropper for Trojan.Jokra contains a module for wiping remote Linux machines. We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat,” Symantec experts noted.

As far as the origin of the attacks is concerned, the Yonhap News Agency has revealed that a Chinese IP address has been identified. However, China is not the main suspect.

Experts highlight that this wouldn’t be the first time when North Korea hides behind Chinese IP addresses to launch cyberattacks.

In addition, a senior government official has told the news agency that North Korea is “strongly suspected.”

So what about the “mysterious” skulls that showed up on the screens of some computers?

A group of hackers called the “Whois Team” have defaced several websites exactly at the time when the banks and broadcasters were attacked. The only thing that indicates a connection between the defacements and the outages is South Korean Internet services provider LG UPlus.

Some of the company’s sites were defaced by Whois Team and the IPS’s representatives confirmed that their networks were possibly breached, Reuters reports.

Coincidentally or not, most of the victims of the cyberattacks rely on LG UPlus’ services, so some have assumed that there may be a connection.

In addition, initial reports revealed that the employees of the affected financial institutions saw the same skulls used by the Whois Team in their defacement page.

However, experts haven’t been able to get the malware to reproduce the skulls so there's a possibility that the initial reports were not so accurate and mixed up the defacements with the malware attacks.
Whois Team defacement page
   Whois Team defacement page
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

Comments