14 DAY TRIAL // Security researchers have encountered a new, particularly small in size Trojan, targeting an undisclosed Korean organization.
The malicious file is enclosed in an RTF document that purports to be an invitation directed at the organization’s employees, for a free car checkup.
The text document is written in Korean and is circulated internally and leverages an old vulnerability (CVE-2012-0158) exploiting ActiveX controls in Windows Common Controls, researchers at Symantec have found.
The exploit offers the attacker the possibility to execute remote code on the affected machine.
Detected by Symantec as Backdoor.Baccamun, the Trojan is 19KB in size and can be used for listing running processes, terminating any of them, funneling in files, and executing arbitrary commands.
An interesting aspect is the particular marker left in the code by the attacker. According to the researchers, the string, which is of Asian origin, is peculiar in the sense that it is not fully meaningful.
Starting from the hex string (0xA5, 0xD0, 0xA5, 0xAB), they found that it was not defined in Japanese character codes and it could not translate to a meaningful word with codes used in Korea, China, Taiwan, or Hong Kong.
“However, in GB character codes used in China it makes a Katakana word in Japanese. The string is ‘baka (バカ)’, which means ‘fool’ or ‘idiot’ in Japanese,” say the researchers in a blog post.
This makes finding out details about the attacker more difficult. Although the marker can be easily typed on an operating system localized for Japan, the OS would not be able to produce the 0xA5, 0xD0, 0xA5, 0xAB hex because a different code mapping is used.
Alternatively, in case of using an operating system in Chinese, the Japanese Input Method Editor (IME) needs to be added and type the word manually. In the case of other languages, to achieve this the hex code must be input or rely on a “back door controller program” to send the marker string.
As such, the findings of the security experts that analyzed the sample as far as the origin of the attacker is concerned are inconclusive. “With a Word document in decent Korean, a marker string that can be translated to a Japanese word, and a Japanese word represented in Chinese GB character codes, it can be difficult to make a guess at who the attacker is.”
The process was further hindered by the fact that the perps relied on a dynamic DNS service for establishing communication with the backdoor. Based on these details, the best guess at the moment is that the threat actor operates from the East Asia region and possesses multilingual skills.