NEWS FROM THE LAB - Monday, March 25, 2013

South Korean Wipers and Spear Phishing E-mails Posted by Brod @ 09:43 GMT

News broke last week of a "wiper" malware that affected South Korean banks and broadcasting companies. NSHC Red Alert Team has published a detailed analysis of the malware here. There were several hashes mentioned for the same component, which suggest multiple operations under the same campaign.

So how did the affected companies get infected? No one knows for sure. However we came across the following archive:


The filename of the archive roughly translate to "The customer's account history". As a side note, Shinhan bank was one of the affected companies according to reports.

Those with keen eye would notice that the malware inside the archive is using double extensions combined with a very long filename to hide the real extension. This is a common social engineering tactic that started during the era of mass mailing worms almost a decade ago. Therefore we believe the archive is most likely sent as attachment in spear phishing e-mails.

The malware has a datestamp of March 17, 2013, which is just few days before the incidents. It uses the icon of Internet Explorer and opens the following decoy upon execution:

HTML decoy document

In the background, the malware downloads and executes the following:

   saved as %systemdirectory%\hzcompl.dll

   saved as %systemdirectory%\%random%.dll

   saved as %systemdirectory%\sotd.dll

Several other HTTP requests are also made, possibly to download other dependencies of the payloads or simply to obscure the malicious requests from admins monitoring the network traffic.

The URLS are either already down or cleaned during our analysis. However the filenames still gave us some clue on the styles of the attacker. For example the file extensions suggest that the payload may be a DLL file. Also "btn_mycomputer.gif" suggest that the payload may disguise as an image of a button in a URL. Since we are investigating for possible links to the wiper payloads, we started looking at existing samples.

Although we were not able to find exact matches, there were a couple variants of the wiper component that matches the style. The first uses a similarly themed filename called "mb_join.gif" which may be trying to disguise as an image of a join button on some mobile banking website. The other is a time triggered DLL sample:

Time trigger

The code above is equivalent to "(month * 100 + day) * 100 + hour >= 32,015" which will only be satisfied during March 20 15:00 and later.

Besides spear phishing e-mails, not all affected systems need to get infected themselves. Some variants also wipe remote systems using credentials found in configuration files of certain SSH clients installed in infected systems. Therefore an affected system can simply have one of its user, who uses a vulnerable SSH client, infected for it to get toasted!

It is interesting to note that Felix Deimel and VanDyke SSH clients as well as the RAR archive were used in the attacks. These are either third party applications or not supported by Windows natively. Not to mention the attacks specifically wipe remote Linux and Unix based systems. All these specifics give the impression of a targeted attack.