Korean message forum becomes cyber-espionage hub
By John Leyden
Security researchers have discovered a targeted attack against Russian hi-tech firm that appears to originate in Korea.
The “Sanny” attack* is malware-based and geared towards stealing login information from Russian telecommunications, information technology and space research organisations. The first stage of the assault features a malicious Russian language MS Word document designed to drop malware onto compromised PCs. This establishes a backdoor on infected machines, establishing a botnet in the process.
The Command and Control channel for this botnet is embedded on a legitimate page, a Korean message board called “nboard.net”, according to an analysis of the attack by web security firm FireEye. The malware sends messages to two pre-programmed Yahoo! webmail address, one in Korea, if the board becomes unavailable.
Extracted data is normally sent to a public message board that does not require authentication, so details of victims are visible. Stolen data includes Outlook login credentials as well as username/passwords that Firefox remembers for different online services such as Hotmail, Facebook, etc. Apart from login credentials, the malware also profiles the victims, for example by victim_locale, victim_region, and other relevant information from the Windows REGISTRY of infected computers. This information is then posted to the Korean message board before been extracted and purged over a two day cycle by the unidentified attacker.
Apparent victims include a Russian Space Science research unit at a Russian University and ITAR-TASS, the Russian state-owned news agency.
Although it doesn’t have proof, FireEye reckons that a Korean is the most likely perpetrator of the attack.
“Though we don’t have full concrete evidence, we have identified many indicators leading to Korea as a possible origin of attack.” FireEye researchers Alex Lanstein and Ali Islam conclude in a jointly authored blog post on the attack.
More technical details can be found in a blog post by FireEye here . ®
* So named by the security researchers for one of the email addresses used by the attackers.