APT Attacks Shut Down

Wednesday, March 27, 2013 @ 06:03 AM gHale


In a move with security company FireEye, the Korea Information Security Agency shut down two message boards used by the Sanny malware as a command-and-control channel.

Sanny is a targeted attack, attributed to attackers in Korea, against individuals working in Russia’s aerospace, IT, education and telecommunications industries. The malware spread via a rigged Microsoft Word document attached to spear phishing email. The text in the email is in Cyrillic; the document is a decoy that drops a malicious executable and two .dll files.

RELATED STORIES
Cyber Attack Against S. Korea
China a Cyber Attack Victim
New Plan to Secure Trade Secrets
Sanctions for Online Espionage

The message board hosting the malicious C&C channel is a legitimate board, nboard[.]net. Previous Sanny-based attacks were communicating through pages called ecowas_1 and kbaksan_1.

“Based on the time stamps and other indicators, we believe that both samples were created and deployed at the same time,” FireEye said in a blogpost. “The attacker probably used different boards/DBs to divide victims to make sure that if one goes down he/she still can keep getting the stolen data from the remaining ones.”

Both are now down and are no longer serving content, FireEye said.

The attackers had co-opted the nboard message boards, and because they did not require authentication to access them, analysts were able to see complete lists of victims and compromised machines.

“The stolen data is encoded. Upon a quick look at the malware components, we find out that it is stealing lots of different kinds of passwords/credentials from the victim’s machine,” FireEye said. Credentials for Microsoft Outlook and Hotmail accounts lifted from Firefox sessions were stored there, as were Facebook log-ins. The malware also collected demographic data from the victim, including location, IP address, domain, ISP and country of origin.

In December, FireEye said based on its evidence, it could connect the attacks to machines in South Korea. The evidence included proof the SMTP mail server and C&C channels were in Korea; the fonts used in the document were also Korean, as was the message board.

FireEye also said the attackers worked in two-day cycles at the time, logging in, collecting stolen data and then deleting it from the command and control server.



Leave a Reply

You must be logged in to post a comment.