Category Archives: korea

New Back Door Trojan Program is No Fool

Malware authors leave an interesting message in the code of a new threat.

Backdoor.Egobot: How to Effectively Execute a Targeted Campaign

Contributor: Satnam Narang

Backdoor.Egobot is a Trojan used in campaigns targeting Korean interests. The execution of the campaigns is straightforward and effective. Symantec data indicates the campaigns have been in operation since 2009. Egobot has continuously evolved by adding newer functionalities. The attackers use the four golden rules of a targeted campaign:

  1. Identify targets
  2. Exploit targets (in order to drop the payload)
  3. Perform malicious activity (in this case, stealing information)
  4. Remain undetected

We have also uncovered a parallel campaign that has been in operation as early as 2006, which we will cover in another blog.

Egobot targets

Egobot is targeted at executives working for Korean companies and also at executives doing business with Korea. Industries targeted with Egobot include:

  • Finance and investment
  • Infrastructure and development
  • Government agencies
  • Defense contractors

Targets are located around the globe and include Korea, Australia, Russia, Brazil, and the United States.


Figure 1. Countries targeted with Backdoor.Egobot

The aim of the Egobot campaign is to steal confidential information from compromised computers.


The attackers gather information about their targets using social engineering techniques prior to luring them into the trap. The targets are sent a spear phishing email, often pretending to be sent from a person they already know. The spear phishing email contains a relevant or enticing message to the target, prompting them to open the malicious attachment. The malicious attachment may be a shortcut .lnk file that points to a file hosted on GeoCities Japan.


Figure 2. Egobot spear phishing email with malicious shortcut attachment

Various malicious attachments have been used in this campaign:

When attachments are opened it triggers the following three-stage download process:

Stage 1: Download obfuscated HTML file

Each of the attachments downloads malware from sites hosted on GeoCities Japan. The files vary, but are usually named update[YYYYMM].xml which is  an obfuscated HTML file that drops an executable on the system.

Stage 2: Download RAR archive

The dropped executable from Stage 1 then retrieves another file from GeoCities Japan. This file is hotfix[YYYYMM].xml, which is an executable RAR file. Both downloaded files in the first two stages are disguised as XML documents in an attempt to pass as a clean file.

Stage 3: Download back door component

The executable RAR file is responsible for preparing the system. It drops a set of files which are responsible for moving files around, injecting a component into processes, and stealing the following system information:

  • Windows version
  • Installed service pack version
  • Install language
  • User name


Figure 3. Stolen system information found in Egobot strings

Stolen information is sent to Egobot's command-and-control (C&C) server in the following format:

  • /micro/advice.php?arg1=1irst&arg2=[BASE64 ENCODED STRING]
  • /micro/advice.php?arg1=1irst&arg2=[HASH]&arg3=[BASE64 ENCODED STRING]


Figure 4. Communication back to C&C server, arg1 value highlighted

Data that is sent back to the C&C is encrypted using a rotating key embedded within the malware. We observed the following two specific keys:

  • youareveryverygoodthing
  • allmyshitisveryverymuch

Finally, the executable RAR file downloads one last component from GeoCities Japan. This downloaded file is named using the value of arg1 in the GET command sent to the C&C. In this case, Egobot attempts to download a file called 1irst.tmp, which is the main payload.

Stealing information

The main payload has specific functions that are potentially disastrous for targeted business executives. These functions include:

  • Recording video
  • Recording audio
  • Taking screenshots
  • Uploading files to a remote server
  • Obtaining a recent document list
  • Searching for a string or pattern in a file
  • Deleting and setting restore points

The stolen information is uploaded to remote servers hosted in Malaysia, Hong Kong, and Canada. The attackers have also updated their code to include 64-bit versions to work seamlessly across 64-bit platforms.

Staying under the radar

Egobot is downloaded onto a system as a bundled RAR archive with various components packed using commercial packers exe32pack and UPX. These following components are used to mask the presence of the malware:

  1. Detoured component: Backdoor.Egobot is compiled using an older version of Microsoft's Detours software package functionality, which includes the detoured.dll file. This file is used to attach malicious .dll files to legitimate Win32 binaries. Egobot can use this file to run itself in the memory of a legitimate process, masquerading as a clean process.
  2. Coordinator component: Prepares files by moving them into the appropriate folders and injecting them into legitimate processes. Backdoor.Egobot is typically injected into the explorer.exe, subst.exe, and alg.exe processes.
  3. Timer functionality: Some versions of the back door component include a timer functionality so the Trojan can delete itself after a certain date. This feature removes any traces of Backdoor.Egobot.


Figure 5. Backdoor.Egobot components

Symantec customers are protected by Symantec Email Malicious samples from this campaign are detected as Trojan Horse, Trojan.Dropper, Trojan.Mdropper, and Backdoor.Egobot.

And, unfortunately, there is more to this story. Through our research into Egobot, Symantec has identified a parallel operation related to Egobot that has been active since 2006, about three years before Egobot. Further details on the Nemim campaign—including its relation to the Egobot campaign—are explained in a separate blog, Infostealer.Nemim: How a Pervasive Infostealer Continues to Evolve.

New Internet Explorer Zero-day Targeted in Attacks Against Korea and Japan

In Microsoft’s Patch Tuesday for October 2013, the company released MS13-080 to address two critical vulnerabilities that have been actively exploited in limited targeted attacks. The first critical vulnerability in Internet Explorer, the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893), was discussed in an earlier Symantec blog.
The second critical vulnerability for Internet Explorer is the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3897). In a blog post from Microsoft, the company describes how this issue is a use-after-free vulnerability in CDisplayPointer triggered with the onpropertychange event handler. The blog continues, explaining how the exploit uses a JavaScript heap-spray to allocate a small ROP chain around the address 0x14141414. When found in the wild, the exploit was designed to target only Internet Explorer 8 on Windows XP for the Korean and Japanese language-based users. For Symantec customers, the following protection is already in place for this attack:  
Intrusion Prevention System:
Symantec telemetry shows that the attack taking advantage of CVE-2013-3897 began around September 11, 2013 and that it has mainly affected South Korean users, due to how Web pages on a popular Korean blogging site were used to redirect users to the site hosting the exploit.  
Symantec is continuing to investigate this attack to ensure that the best possible protection is available. As always, we recommend that users keep their systems up-to-date with the latest software patches. We also advise customers to use the latest Symantec technologies and incorporate the latest Norton consumer and Symantec enterprise solutions to best protect against attacks of this kind.
Update  09 October, 2013:
Symantec has released an additional IPS signature to protect against CVE-2013-3897:
Update – 11 October, 2013:
Symantec has released an additional AV detection to protect against CVE-2013-3897:

New Disk Wiper Found in Korean Attacks

Yesterday, Symantec published details about a new distributed denial-of-service (DDoS) attack carried out by a gang dubbed "DarkSeoul" against South Korean websites. We identified their previous attacks against South Korea, including the devastating Jokra attacks in March 2013 that wiped numerous computer hard drives at South Korean banks and television broadcasters. As a result of our continued investigations into attacks against South Korea, we have come across a new threat—detected as Trojan.Korhigh—that attempts to perform a similar wiping action.

Similar to previous wipers encountered by Symantec in attacks against South Korea, Trojan.Korhigh has the functionality to systematically delete files and overwrite the Master Boot Record (MBR) on the compromised computer, rendering it unusable. The Trojan accepts several command line switches for added functionality, such as changing user passwords on compromised computers to "highanon2013" or executing specific wipe instructions related to the following file types:

  • asp
  • aspx
  • avi
  • bmp
  • dll
  • do
  • exe
  • flv
  • gif
  • htm
  • html
  • jpeg
  • jpg
  • jsp
  • mp4
  • mpeg
  • mpg
  • nms
  • ocx
  • php
  • php3
  • png
  • sys
  • wmv

The Trojan may also change the computer wallpaper as an indication of compromise. At this time, we cannot confirm the identity of the attackers.


Figure. Trojan.Korhigh wallpaper

The threat may also attempt to gather system information about the compromised machine (operating system version, computer name, current date) which it sends to the following IP addresses:


Symantec is continuing its analysis of this threat and is monitoring on-going attacks against South Korea. To ensure the best protection, Symantec recommends that you use the latest Symantec technologies and up-to-date antivirus definitions.

Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War

Yesterday, June 25, the Korean peninsula observed a series of cyberattacks coinciding with the 63rd anniversary of the start of the Korean War. While multiple attacks were conducted by multiple perpetrators, one of the distributed denial-of-service (DDoS) attacks observed yesterday against South Korean government websites can be directly linked to the DarkSeoul gang and Trojan.Castov.

We can now attribute multiple previous high-profile attacks to the DarkSeoul gang over the last 4 years against South Korea, in addition to yesterday’s attack. These attacks include the devastating Jokra attacks in March 2013 that wiped numerous computer hard drives at South Korean banks and television broadcasters, as well as the attacks on South Korean financial companies in May 2013.

Conducting DDoS attacks and hard disk wiping on key historical dates is not new for the DarkSeoul gang. They previously conducted DDoS and wiping attacks on the United States Independence Day as well.


Figure 1. Four years of DarkSeoul activity

The DarkSeoul gang’s attacks tend to follow similar methods of operation. Trademarks of their attacks include:

  • Multi-staged, coordinated attacks against high-profile targets in South Korea
  • Destructive payloads, such as hard disk wiping and DDoS attacks configured to trigger on historically significant dates
  • Overwriting disk sectors with politically-themed strings
  • Use of legitimate third-party patching mechanisms in order to spread across corporate networks
  • Specific encryption and obfuscation methods
  • Use of specific third-party webmailer servers to store files
  • Use of similar command-and-control structures

The attacks conducted by the DarkSeoul gang have required intelligence and coordination, and in some cases have demonstrated technical sophistication. While nation-state attribution is difficult, South Korean media reports have pointed to an investigation which concluded the attackers were working on behalf of North Korea. Symantec expects the DarkSeoul attacks to continue and, regardless of whether the gang is working on behalf of North Korea or not, the attacks are both politically motivated and have the necessary financial support to continue acts of cybersabotage on organizations in South Korea. Cybersabotage attacks on a national scale have been rare—Stuxnet and Shamoon (W32.Disttrack) are the other two main examples. However, the DarkSeoul gang is almost unique in its ability to carry out such high-profile and damaging attacks over several years.


Figure 2. Castov DDoS attack


The Castov DDoS attack occurs in the following manner:

  1. Compromised website leads to the download of SimDisk.exe (Trojan.Castov), a Trojanized version of a legitimate application.
  2. SimDisk.exe drops two files onto the compromised system: SimDisk.exe (Clean), the legitimate non-Trojanized version, and SimDiskup.exe (Downloader.Castov).
  3. Downloader.Castov connects to a second compromised server to download the C.jpg file (Downloader.Castov), an executable file which appears to be an image.
  4. Threat uses the Tor network to download Sermgr.exe (Trojan.Castov).
  5. Castov drops the Ole[VARIABLE].dll file (Trojan.Castov) in the Windows system folder.
  6. Castov downloads the CT.jpg file from a Web server hosting a ICEWARP webmail, that has been compromised as a result of publicly known vulnerabilities in ICEWARP. The CT.jpg file contains a timestamp used by Castov to synchronize attacks.
  7. Once this time is reached, Castov drops Wuauieop.exe (Trojan.Castdos).
  8. Castdos begins to overload the DNS server with DNS requests, effectively performing a DDoS attack affecting multiple websites.

Fake Vertu App Infects Korean and Japanese Android Users

A new threat has surfaced targeting users in Korea and Japan, but this attack, unlike others making the news, is not one motivated by political or ideological dogma. Instead, this one is based purely on old-fashioned greed. Vertu phone owners or those looking for a localized Vertu theme in Korean or Japanese for an Android phone had better think twice before downloading something. McAfee Mobile Research has identified a new variant of Android/Smsilence distributed under the guise of a Vertu upgrade/theme that is targeting Japanese and Korean users.

Fake Vertu app in Japanese.

Fake Vertu app in Japanese. (Click on images to enlarge.)

On installation, Android/Smsilence.C attempts to display a loading screen, while in the background registering the device phone number with an external server [XXX.XX.24.134] by sending an HTTP post. The malware then registers an Internet filter on the local device so that any incoming messages are handled first by the Trojan and then forwarded to the same server. The loading screen eventually stops with the message in Japanese or Korean reporting that the service was unavailable and to please try again.

Threat Details 2

McAfee’s research into the control management system used by this threat has shown that multiple domains (pointing to the same server) were used in addition to multiple guises to spread the threat. Around 20 fake branded apps–from coffee to fast-food chains, including an antivirus product from Korea that was uploaded and revoked from Google Play–were used. Despite a lack of sophistication compared with other mobile botnets, Android/Smsilence was still able to infect between 50,000 to 60,000 mobile users, according to our analysis.

Fake Vertu app in Korean.

Fake Vertu app in Korean.

The new variant now extends to Japanese victims. Most other threats targeting  Japan this year have been minor variations of one-click fraud (also called scareware), which has been around in one form or another since 2004. Devices infected with Android/Smsilence.C are capable of sending back a lot more information, in addition to downloading additional spyware to the infected device.

Because carriers in Japan use the CMAIL protocol for text messaging, attempting to control and maintain a mobile botnet from outside of Japan is not easy (due to the security features implemented by Japanese carriers). We wonder if there was a local accomplice facilitating the spread or control of infected devices. This would also explain the function of a secondary package that is downloaded to an infected device only on demand by the botnet controller, and contains additional spyware functionality not limited to text messaging.

The most bizarre aspect of this new strain remains to be explained, and highlights a limitation in the antimalware research field. Regardless whether we analyze an Android Trojan or a complex threat like Stuxnet, given enough time we can reverse-engineer any piece of code into its basic building blocks. Nonetheless, there are sometimes aspects to a case in which no matter how much time is spent investigating, we have no idea what the malware authors were thinking. In this case we discovered a file inside the malware that changes the package hash; that’s an evasive technique dubbed server-side polymorphism, and attempts to avoid detections by antimalware vendors. But it was not the technique that was confusing, even though this is the first time we have seen this technique used outside of an Eastern European threat family. The chosen file, the key component in the evasion technique, was a picture of London Mayor Boris Johnson.

image files discovered in the package

The malware authors included an image of  London Mayor Boris Johnson.

Copyright © 2015. Powered by WordPress & Romangie Theme.