Overview
In the past four years there have been several major cyber attacks against South Korea. We have identified a particular back door (Backdoor.Prioxer) that surfaced during the 2011 attacks. A modified version of this back door was also discovered during the 2013 attacks. The back door is based on publicly available code, but there are some indications that the same individuals are responsible for the 2011 and 2013 versions, pointing towards a possible connection between the two attacks.
Background
The first documented major attack was in July, 2009. The attacks began on July 4, Independence Day in the United States, and consisted of a distributed denial-of-service (DDoS) attack against various Korean and US government and financial websites. A second wave of attacks occurred on July 7 and a third wave on July 9. The malware used to launch the attacks was Trojan.Dozer, which was spread through e-mail. Trojan.Dozer contained a time bomb in its code, triggered on July 10. This time bomb would overwrite various types of files on the hard drive and then overwrite the first one megabyte of the hard drive, destroying the MBR and partition table. The hard drive was overwritten with the string, “Memory of the Independence Day.”
The second major attack occurred on the March 4, 2011. This attack was again a DDoS and again, against U.S. and South Korean government institutions. The malware used was Trojan.Koredos. This malware also overwrote a specified set of file types and destroyed the MBR. During investigations into these attacks, a back door Trojan called Backdoor.Prioxer was discovered. The back door was quite sophisticated and infected files in a discreet manner. You can see our previous blog, which describes this technique in detail.
The third attack occurred on March 20, 2013. This attack does appear to have used only hard drive overwrites, and no DDoS attacks. Trojan.Jokra overwrites the MBR and then the contents of the hard drive, independent of file format. It then looks for any mapped network drives and attempts to overwrite those as well. There appears to be multiple installation vectors, including e-mail and patch management. Patch management is an auto-update system that was compromised to deliver the malware.
Similar to the 2011 Trojan.Koredos investigation, we discovered a new version of Backdoor.Prioxer while examining files from computers compromised with Trojan.Jokra. When we investigated this file further, in an attempt to determine how it was installed onto victims’ computers, we established a link with Trojan.Jokra.
Making connections
The Trojan.Jokra samples are obfuscated by the Jokra packer. The Jokra packer was also used to obfuscate Trojan Horse (with an MD5 of 50e03200c3a0becbf33b3788dac8cd46). Trojan Horse then downloads Backdoor.Prioxer from the following location:
http://www.skymom.co.kr/[REMOVED]/update_body.jpg
There is an additional link between Trojan.Jokra and Backdoor.Prioxer based on the Jokra packer. The Trojan Horse sample, which is packed with the Jokra packer, contains a build path string. This string describes where the sample was compiled on disk. The path is:
Z:\Work\Make Troy\3RAT Project\3RATClient_Load\Release\3RATClient_Load.pdb
Backdoor.Prioxer also contains a build string:
Z:\Work\Make Troy\Concealment Troy\Exe_Concealment_Troy(Winlogon_Shell)\Dll\Concealment_Troy(Dll)\Release\Concealment_Troy.pdb
Clearly, the two separate pieces of malware were compiled from the same build source directory, Z:\work\Make Troy.
Work or fun?
If the Jokra packer is limited to the one group, then the connections between Backdoor.Prioxer and Trojan.Jokra are reliable. We believe that this packer is not publicly distributed because the number of detections for it are very low, are limited to Korea, and so far have only covered Jokra, the downloader, and the back door Trojan containing the “Z:” build string. This low prevalence is an indication that the packer is in use by only one group.
The connection between Backdoor.Prioxer and the 2011 attacks is not as clear cut. It is certainly suspicious that versions of Backdoor.Prioxer have been present during both attacks, but it could be explained away as the Trojan merely being discovered during the course of an investigation and not actually being related to the attacks. However, we think it is likely however that the samples are related, given the Jokra connection.
Finally, the build path itself used in the Backdoor.Prioxer sample is informative. The path is “Z:\work”, and it seems unlikely that an independent hacktivist would use a folder labeled “work” to store their Trojan. For them, the development of a Trojan is not work, it is fun. The type of person who stores their code in a work folder is someone who is doing this professionally. The implication is that someone has been paid or ordered to perform these attacks, either as a contractor or as an employee.