Malware authors leave an interesting message in the code of a new threat.
Contributor: Satnam Narang
Backdoor.Egobot is a Trojan used in campaigns targeting Korean interests. The execution of the campaigns is straightforward and effective. Symantec data indicates the campaigns have been in operation since 2009. Egobot has continuously evolved by adding newer functionalities. The attackers use the four golden rules of a targeted campaign:
We have also uncovered a parallel campaign that has been in operation as early as 2006, which we will cover in another blog.
Egobot is targeted at executives working for Korean companies and also at executives doing business with Korea. Industries targeted with Egobot include:
Targets are located around the globe and include Korea, Australia, Russia, Brazil, and the United States.
Figure 1. Countries targeted with Backdoor.Egobot
The aim of the Egobot campaign is to steal confidential information from compromised computers.
The attackers gather information about their targets using social engineering techniques prior to luring them into the trap. The targets are sent a spear phishing email, often pretending to be sent from a person they already know. The spear phishing email contains a relevant or enticing message to the target, prompting them to open the malicious attachment. The malicious attachment may be a shortcut .lnk file that points to a file hosted on GeoCities Japan.
Figure 2. Egobot spear phishing email with malicious shortcut attachment
Various malicious attachments have been used in this campaign:
When attachments are opened it triggers the following three-stage download process:
Stage 1: Download obfuscated HTML file
Each of the attachments downloads malware from sites hosted on GeoCities Japan. The files vary, but are usually named update[YYYYMM].xml which is an obfuscated HTML file that drops an executable on the system.
Stage 2: Download RAR archive
The dropped executable from Stage 1 then retrieves another file from GeoCities Japan. This file is hotfix[YYYYMM].xml, which is an executable RAR file. Both downloaded files in the first two stages are disguised as XML documents in an attempt to pass as a clean file.
Stage 3: Download back door component
The executable RAR file is responsible for preparing the system. It drops a set of files which are responsible for moving files around, injecting a component into processes, and stealing the following system information:
Figure 3. Stolen system information found in Egobot strings
Stolen information is sent to Egobot's command-and-control (C&C) server in the following format:
Figure 4. Communication back to C&C server, arg1 value highlighted
Data that is sent back to the C&C is encrypted using a rotating key embedded within the malware. We observed the following two specific keys:
Finally, the executable RAR file downloads one last component from GeoCities Japan. This downloaded file is named using the value of arg1 in the GET command sent to the C&C. In this case, Egobot attempts to download a file called 1irst.tmp, which is the main payload.
The main payload has specific functions that are potentially disastrous for targeted business executives. These functions include:
The stolen information is uploaded to remote servers hosted in Malaysia, Hong Kong, and Canada. The attackers have also updated their code to include 64-bit versions to work seamlessly across 64-bit platforms.
Staying under the radar
Egobot is downloaded onto a system as a bundled RAR archive with various components packed using commercial packers exe32pack and UPX. These following components are used to mask the presence of the malware:
Figure 5. Backdoor.Egobot components
And, unfortunately, there is more to this story. Through our research into Egobot, Symantec has identified a parallel operation related to Egobot that has been active since 2006, about three years before Egobot. Further details on the Nemim campaign—including its relation to the Egobot campaign—are explained in a separate blog, Infostealer.Nemim: How a Pervasive Infostealer Continues to Evolve.
Yesterday, Symantec published details about a new distributed denial-of-service (DDoS) attack carried out by a gang dubbed "DarkSeoul" against South Korean websites. We identified their previous attacks against South Korea, including the devastating Jokra attacks in March 2013 that wiped numerous computer hard drives at South Korean banks and television broadcasters. As a result of our continued investigations into attacks against South Korea, we have come across a new threat—detected as Trojan.Korhigh—that attempts to perform a similar wiping action.
Similar to previous wipers encountered by Symantec in attacks against South Korea, Trojan.Korhigh has the functionality to systematically delete files and overwrite the Master Boot Record (MBR) on the compromised computer, rendering it unusable. The Trojan accepts several command line switches for added functionality, such as changing user passwords on compromised computers to "highanon2013" or executing specific wipe instructions related to the following file types:
The Trojan may also change the computer wallpaper as an indication of compromise. At this time, we cannot confirm the identity of the attackers.
Figure. Trojan.Korhigh wallpaper
The threat may also attempt to gather system information about the compromised machine (operating system version, computer name, current date) which it sends to the following IP addresses:
Symantec is continuing its analysis of this threat and is monitoring on-going attacks against South Korea. To ensure the best protection, Symantec recommends that you use the latest Symantec technologies and up-to-date antivirus definitions.
Yesterday, June 25, the Korean peninsula observed a series of cyberattacks coinciding with the 63rd anniversary of the start of the Korean War. While multiple attacks were conducted by multiple perpetrators, one of the distributed denial-of-service (DDoS) attacks observed yesterday against South Korean government websites can be directly linked to the DarkSeoul gang and Trojan.Castov.
We can now attribute multiple previous high-profile attacks to the DarkSeoul gang over the last 4 years against South Korea, in addition to yesterday’s attack. These attacks include the devastating Jokra attacks in March 2013 that wiped numerous computer hard drives at South Korean banks and television broadcasters, as well as the attacks on South Korean financial companies in May 2013.
Conducting DDoS attacks and hard disk wiping on key historical dates is not new for the DarkSeoul gang. They previously conducted DDoS and wiping attacks on the United States Independence Day as well.
Figure 1. Four years of DarkSeoul activity
The DarkSeoul gang’s attacks tend to follow similar methods of operation. Trademarks of their attacks include:
The attacks conducted by the DarkSeoul gang have required intelligence and coordination, and in some cases have demonstrated technical sophistication. While nation-state attribution is difficult, South Korean media reports have pointed to an investigation which concluded the attackers were working on behalf of North Korea. Symantec expects the DarkSeoul attacks to continue and, regardless of whether the gang is working on behalf of North Korea or not, the attacks are both politically motivated and have the necessary financial support to continue acts of cybersabotage on organizations in South Korea. Cybersabotage attacks on a national scale have been rare—Stuxnet and Shamoon (W32.Disttrack) are the other two main examples. However, the DarkSeoul gang is almost unique in its ability to carry out such high-profile and damaging attacks over several years.
Figure 2. Castov DDoS attack
The Castov DDoS attack occurs in the following manner:
A new threat has surfaced targeting users in Korea and Japan, but this attack, unlike others making the news, is not one motivated by political or ideological dogma. Instead, this one is based purely on old-fashioned greed. Vertu phone owners or those looking for a localized Vertu theme in Korean or Japanese for an Android phone had better think twice before downloading something. McAfee Mobile Research has identified a new variant of Android/Smsilence distributed under the guise of a Vertu upgrade/theme that is targeting Japanese and Korean users.
On installation, Android/Smsilence.C attempts to display a loading screen, while in the background registering the device phone number with an external server [XXX.XX.24.134] by sending an HTTP post. The malware then registers an Internet filter on the local device so that any incoming messages are handled first by the Trojan and then forwarded to the same server. The loading screen eventually stops with the message in Japanese or Korean reporting that the service was unavailable and to please try again.
McAfee’s research into the control management system used by this threat has shown that multiple domains (pointing to the same server) were used in addition to multiple guises to spread the threat. Around 20 fake branded apps–from coffee to fast-food chains, including an antivirus product from Korea that was uploaded and revoked from Google Play–were used. Despite a lack of sophistication compared with other mobile botnets, Android/Smsilence was still able to infect between 50,000 to 60,000 mobile users, according to our analysis.
The new variant now extends to Japanese victims. Most other threats targeting Japan this year have been minor variations of one-click fraud (also called scareware), which has been around in one form or another since 2004. Devices infected with Android/Smsilence.C are capable of sending back a lot more information, in addition to downloading additional spyware to the infected device.
Because carriers in Japan use the CMAIL protocol for text messaging, attempting to control and maintain a mobile botnet from outside of Japan is not easy (due to the security features implemented by Japanese carriers). We wonder if there was a local accomplice facilitating the spread or control of infected devices. This would also explain the function of a secondary package that is downloaded to an infected device only on demand by the botnet controller, and contains additional spyware functionality not limited to text messaging.
The most bizarre aspect of this new strain remains to be explained, and highlights a limitation in the antimalware research field. Regardless whether we analyze an Android Trojan or a complex threat like Stuxnet, given enough time we can reverse-engineer any piece of code into its basic building blocks. Nonetheless, there are sometimes aspects to a case in which no matter how much time is spent investigating, we have no idea what the malware authors were thinking. In this case we discovered a file inside the malware that changes the package hash; that’s an evasive technique dubbed server-side polymorphism, and attempts to avoid detections by antimalware vendors. But it was not the technique that was confusing, even though this is the first time we have seen this technique used outside of an Eastern European threat family. The chosen file, the key component in the evasion technique, was a picture of London Mayor Boris Johnson.