Malware authors leave an interesting message in the code of a new threat.
Contributor: Satnam Narang
Backdoor.Egobot is a Trojan used in campaigns targeting Korean interests. The execution of the campaigns is straightforward and effective. Symantec data indicates the campaigns have been in operation since 2009. Egobot has continuously evolved by adding newer functionalities. The attackers use the four golden rules of a targeted campaign:
We have also uncovered a parallel campaign that has been in operation as early as 2006, which we will cover in another blog.
Egobot is targeted at executives working for Korean companies and also at executives doing business with Korea. Industries targeted with Egobot include:
Targets are located around the globe and include Korea, Australia, Russia, Brazil, and the United States.
Figure 1. Countries targeted with Backdoor.Egobot
The aim of the Egobot campaign is to steal confidential information from compromised computers.
The attackers gather information about their targets using social engineering techniques prior to luring them into the trap. The targets are sent a spear phishing email, often pretending to be sent from a person they already know. The spear phishing email contains a relevant or enticing message to the target, prompting them to open the malicious attachment. The malicious attachment may be a shortcut .lnk file that points to a file hosted on GeoCities Japan.
Figure 2. Egobot spear phishing email with malicious shortcut attachment
Various malicious attachments have been used in this campaign:
When attachments are opened it triggers the following three-stage download process:
Stage 1: Download obfuscated HTML file
Each of the attachments downloads malware from sites hosted on GeoCities Japan. The files vary, but are usually named update[YYYYMM].xml which is an obfuscated HTML file that drops an executable on the system.
Stage 2: Download RAR archive
The dropped executable from Stage 1 then retrieves another file from GeoCities Japan. This file is hotfix[YYYYMM].xml, which is an executable RAR file. Both downloaded files in the first two stages are disguised as XML documents in an attempt to pass as a clean file.
Stage 3: Download back door component
The executable RAR file is responsible for preparing the system. It drops a set of files which are responsible for moving files around, injecting a component into processes, and stealing the following system information:
Figure 3. Stolen system information found in Egobot strings
Stolen information is sent to Egobot's command-and-control (C&C) server in the following format:
Figure 4. Communication back to C&C server, arg1 value highlighted
Data that is sent back to the C&C is encrypted using a rotating key embedded within the malware. We observed the following two specific keys:
Finally, the executable RAR file downloads one last component from GeoCities Japan. This downloaded file is named using the value of arg1 in the GET command sent to the C&C. In this case, Egobot attempts to download a file called 1irst.tmp, which is the main payload.
The main payload has specific functions that are potentially disastrous for targeted business executives. These functions include:
The stolen information is uploaded to remote servers hosted in Malaysia, Hong Kong, and Canada. The attackers have also updated their code to include 64-bit versions to work seamlessly across 64-bit platforms.
Staying under the radar
Egobot is downloaded onto a system as a bundled RAR archive with various components packed using commercial packers exe32pack and UPX. These following components are used to mask the presence of the malware:
Figure 5. Backdoor.Egobot components
And, unfortunately, there is more to this story. Through our research into Egobot, Symantec has identified a parallel operation related to Egobot that has been active since 2006, about three years before Egobot. Further details on the Nemim campaign—including its relation to the Egobot campaign—are explained in a separate blog, Infostealer.Nemim: How a Pervasive Infostealer Continues to Evolve.
Yesterday, Symantec published details about a new distributed denial-of-service (DDoS) attack carried out by a gang dubbed "DarkSeoul" against South Korean websites. We identified their previous attacks against South Korea, including the devastating Jokra attacks in March 2013 that wiped numerous computer hard drives at South Korean banks and television broadcasters. As a result of our continued investigations into attacks against South Korea, we have come across a new threat—detected as Trojan.Korhigh—that attempts to perform a similar wiping action.
Similar to previous wipers encountered by Symantec in attacks against South Korea, Trojan.Korhigh has the functionality to systematically delete files and overwrite the Master Boot Record (MBR) on the compromised computer, rendering it unusable. The Trojan accepts several command line switches for added functionality, such as changing user passwords on compromised computers to "highanon2013" or executing specific wipe instructions related to the following file types:
The Trojan may also change the computer wallpaper as an indication of compromise. At this time, we cannot confirm the identity of the attackers.
Figure. Trojan.Korhigh wallpaper
The threat may also attempt to gather system information about the compromised machine (operating system version, computer name, current date) which it sends to the following IP addresses:
Symantec is continuing its analysis of this threat and is monitoring on-going attacks against South Korea. To ensure the best protection, Symantec recommends that you use the latest Symantec technologies and up-to-date antivirus definitions.