On June 25, 2013, South Korea was hit with a cyber attack that affected several local government and news sites. We managed to track some of the attacks that made up this event: (1) the compromise of the auto-update mechanism of a file-sharing and storage application, and (2) a DDoS attack scenario that had surprising similarities with the March 20 MBR-wiping incident in South Korea.
How was the attack carried out?
Compromised auto-update mechanism
The attack involved SimDisk, a file-sharing and storage service in South Korea. As with many current software, it sported a non-intrusive auto-update mechanism that would keep itself updated and patched in the background.
The auto-update feature was used as a delivery method for the attack; the website where the application was supposed to download its updates was compromised with a modified version of its installer. This modified version, detected as TROJ_DIDKR.A, is downloaded as an 'update' by SimDisk onto the affected system.
It drops a legitimate SimDisk installer in order to simulate normal behavior together with a malware component that downloads another piece of malware. This malware then drops other components to carry out the attack in full, which consists of a configuration file, a Tor client, and a malicious file that connects to the Tor network. Tor is a legitimate online service that allows for concealment and protection of a system's communication on the Internet. Its use in this attack is possibly a deliberate tactic to avoid detection. The diagram below illustrates this attack chain:
Further investigation also revealed a similar attack. This attack follows the same routines stated above, but took advantage of the software Songsari. This particular attack's components are detected as TROJ_DIDKR.B.
This attack involves a routine reminiscent of the March 20 MBR wiper attack in South Korea. This time, the DDoS begins with a malware dropping a malware component onto the affected system. The dropped malware component varies depending on whether the affected system's operating system is 32- or 64-bit. The malware components then drops a .DLL file that checks these two requirements:
The affected system has a working Internet connection - which the malware uses to connect to a website to check for a predetermined response.
The date and time of the affected system matches predetermined date and time from a downloaded file.
If both requirements are met, the DDoS component DDOS_DIDKR.C is then dropped onto the system and executed. It then carries out a DDoS attack by repeatedly sending large DNS packets to two IP addresses, both of which are the primary and secondary DNS name servers of the South Korean government websites. By attacking these IP addresses, the cybercriminals responsible prevented users to access the government sites, as well as any websites that had these IP addresses as their DNS name servers.
Why is this incident notable?
This incident is noteworthy because of how the cybercriminals responsible leveraged their attacks against South Korea government and news agency sites. Not only did the cybercriminals used different attack types during a concerted effort, they also utilized certain tactics to have their attacks inflict as much damage as possible.
One of these is the abuse of legitimate software features and services (SimDisk/Songsari's autoupdate feature, and the Tor network) in order to infiltrate systems and hide routines. Another tactic they used is the specific targeting of IP addresses that served as DNS name servers – a tactic that brought down as many websites as possible.
Are Trend Micro customers protected from this threat?
Yes. All malware in this attack are actively detected and removed by Trend Micro products and the Trend Micro™ Smart Protection Network.