Last week, there was a big incident in the capital security sector - South Korea was attacked by apt on a large scale, also known as the "darkseoul incident". The scale is unprecedented, and the whole story is worth borrowing from all walks of life. All the major media and manufacturers have come out with their mouths full of guns. As a matter of fact, let's give them a piece of advice:)

First, let's recall what happened on March 20. (thanks for GD / chroot)

Agricultural Association Bank of China: 30 branches suffered 2000 computers, counter business stopped, half of ATMs stopped, Shinhan Bank: 57 branches suffered all databases stopped, all services stopped for 2 hours, account signing card could not be swiped by Bank of Jeju: the injured situation is unknown, most of the Bank members' computers, all ATMs stopped KBS TV: 5000 computers suffered, radio stations stopped broadcasting, Busan evening stopped broadcasting, official website closed MBS TV: 800 computers are damaged, half of the employees are shut down, all external film sources are disconnected, and all work is done by laptop. YTN TV: 500 computers are damaged, TV broadcasting is normal, news system is shut down, LG uplus ISP: internal computers are damaged, and websites are replaced

These three banks are almost the top three banks in South Korea. The incident just happened, and even the national military infocon of South Korea increased from 4 to 3.

Xecure lab has made some research and Discussion on the malicious program samples of this event... First of all, we have stated that we did not participate in the investigation, and all the information and samples are sorted out from the network as much as possible. In addition, we use our own analysis product xecray to analyze this sample. We also published this information in the Forum on the South Korean Zian incident held by hitcon the day before yesterday.

[AD insert]

Xecray is a set of automatic authentication and analysis tools developed by xecure lab for apt attacks. The following reports are completed by xecray.

Most of the following information is collected from the analysis and authentication results of malware samples. We hope that the released samples can tell us some stories.

Note: some of the arguments are my inferences about limited information, not all facts, for reference only.

There is very little information and samples about this incident. First, Korean friends are busy, and the complete report hasn't come out yet. After we spent time sorting out, we identified a total of 10 related programs through the forensic analysis.

The first published samples were k01-k04, and later Mila published K05 and K06. There are several characteristics of big Seoul's malware supremacy, which we believe are directly related to this incident:

• Feature Disk Wiper
• MBR write string hastati, princpes, PR! Ncpes
• Access MBR through \ \. \ physicaldrive
• Establish section, jo840112-cras8468-11150923-pci8273v
• Attack set at 1400-1500 on March 20, 2013
• Kill the antivirus program
• AhnLab Policy Agent - pasvc.exe
• Hauri ViRobot - clisvc.exe
• The attack is linked to "whois team"

In APT attack activities, antivirus software is the first to fall down:（

Even be used to send malicious programs, become hackers' favorite

In several programs, we can see that hackers use 2013-03-20 (14:00 ~ 15:00) as the attack time, and the features of this program are also believed to be directly related to this event

After the K07 sample is executed, it will drop an HTML, and there is "hacked by whois team" in the code. Because in the 3 / 20 attack in South Korea, LG uplus, the ISP, is also attacked and the webpage is changed.

From the results of xecray's automatic analysis, it can be seen that K07 has the characteristics of "hacked by whois team" and it is also suspected that it has the function of Disk Wipe destruction. So we think K07 is directly related to this incident.

(Reference  http://www.f-secure.com/weblog/archives/00002531.html)

K08 is said in some blogs that this incident has something to do with apt's malicious letters. I think it's a bit far fetched. At most, the file name is "Shinhan bank". At present, there's no direct evidence that it's used in the files of this attack, and I don't know whether the RAR is sent to the public by hackers or to the people inside the bank. Moreover, K08 doesn't show all the features we mentioned earlier. Instead, it looks like crimeware or bank trojan in general. Of course, we are looking forward to more evidence for the analysis of the information that has been released.

(to be honest, we are also selling apt malicious email detection system. I would like to say that this incident has something to do with apt email, but the evidence is not enough at present.)

K10 is the most discussed sample. It is like the enhanced version of K01 sample. In addition to the disk wiper program, it has the ability to destroy UNIX host data. It will drop under temp

• Alg.exe (it's putty)
• Conime.exe (it's SCP)
• Agentbase.exe (it is the same as k01-04, a tool to destroy hard disk)
• ~Pr1.tmp this is a shell script used to clear the malicious script of SunOS, AIX, HP-UX and Linux data.

Put script into UNIX / Linux host to execute through the built-in putty and SCP... It's really hard XD

Some information found in K10 may be related to the author. E: \ \ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Then xecure lab collated these samples. If we use the PE timestamp of malware to plot the timeline, we can observe several interesting facts:

K01 ~ K04 are the most frequently discussed samples in this event. Its PE build time is 2013:01:31.

K06 and K05 samples are not directly related to darkseoul, but because the binary structure of the program is very similar to K01 ~ K04, maybe the same shell, but different payloads. K06 and K05 are not Disk Wiper, but downloader. It is worth mentioning that the discovery time of K06 was on August 30, 2012 last year, when the file name was jar_cachexxxxx.tmp. Give some hints about the time and file name, will it be as early as last year when Java exploit was popular, and this malware has been deployed!? (this is my conjecture)

After studying the sample of the events in darkseoul, I have several experiences

• I didn't see the backdoor or Trojan samples, only the attacker. I'm so disappointed. Maybe it's just that the incident happened, the resource security experts are still busy investigating, or the main information is blocked at present, and the flowing out believe is only a small part of the story.
• When the attack may start, hacker's plan is either after 2012-08-30 or after 2013-01-31. It is certain that hacker attacks will be deployed for several months, not random attacks, which is a typical apt attack activity.
• Who did it? Everyone asked. But as far as the current clues are concerned, there is no IP / domain information to infer, because these samples are not backdoors with network activity. The first alienvault article mentioned an IP 103.14.114.156, which caused many news media to guess the source of the attack. But we judge that the malicious program mentioned in this article is not a sample of the darkseoul event, but a general bank Trojan. It just happened at the right time. In addition, it has something to do with bank, so it was misidentified. Like K08, it's also said that it's about apt email.

We look forward to more investigation reports from South Korea, so that we can study the full picture of a real national apt attack.

A new generation of war has begun!

But the point is, someone has been beaten... XD

Birdman, Benson

Xecure Lab

-----Sir: what would happen to us if such an apt scale attack took place in Taiwan? A bird: haven't we done it many times? In fact, it's nothing like that. Please don't worry, sir

----Hitcon 2013, 7 / 19-20, welcome to hitcon! Http://hitcon.org/2013/