Are the 2011 and 2013 South Korean Cyber Attacks Related?

Overview
In the past four years there have been several major cyber attacks against South Korea. We have identified a particular back door (Backdoor.Prioxer) that surfaced during the 2011 attacks. A modified version of this back door was also discovered during the 2013 attacks. The back door is based on publicly available code, but there are some indications that the same individuals are responsible for the 2011 and 2013 versions, pointing towards a possible connection between the two attacks.

Background
The first documented major attack was in July, 2009. The attacks began on July 4, Independence Day in the United States, and consisted of a distributed denial-of-service (DDoS) attack against various Korean and US government and financial websites. A second wave of attacks occurred on July 7 and a third wave on July 9. The malware used to launch the attacks was Trojan.Dozer, which was spread through e-mail. Trojan.Dozer contained a time bomb in its code, triggered on July 10. This time bomb would overwrite various types of files on the hard drive and then overwrite the first one megabyte of the hard drive, destroying the MBR and partition table. The hard drive was overwritten with the string, “Memory of the Independence Day.”

The second major attack occurred on the March 4, 2011. This attack was again a DDoS and again, against U.S. and South Korean government institutions. The malware used was Trojan.Koredos. This malware also overwrote a specified set of file types and destroyed the MBR.  During investigations into these attacks, a back door Trojan called Backdoor.Prioxer was discovered. The back door was quite sophisticated and infected files in a discreet manner.  You can see our previous blog, which describes this technique in detail.

The third attack occurred on March 20, 2013. This attack does appear to have used only hard drive overwrites, and no DDoS attacks. Trojan.Jokra overwrites the MBR and then the contents of the hard drive, independent of file format. It then looks for any mapped network drives and attempts to overwrite those as well. There appears to be multiple installation vectors, including e-mail and patch management. Patch management is an auto-update system that was compromised to deliver the malware.

Similar to the 2011 Trojan.Koredos investigation, we discovered a new version of Backdoor.Prioxer (labeled Backdoor.Prioxer.B) while examining files from computers compromised with Trojan.Jokra. This new version shares the same the same C&C base protocol, but does not proxy IRC communications as in the older version. When we investigated this file further, in an attempt to determine how it was installed onto victims’ computers, we established a link with Trojan.Jokra.

Making connections
The Trojan.Jokra samples are obfuscated by the Jokra packer. The Jokra packer was also used to obfuscate a downloader (encountered in August of 2012 with an MD5 of 50e03200c3a0becbf33b3788dac8cd46). This downloader was seen to download Backdoor.Prioxer from the following location:

http://www.skymom.co.kr/[REMOVED]/update_body.jpg

The link between Trojan.Jokra and Backdoor.Prioxer.B is also based on the Jokra packer. An additional malware sample (Trojan.Gen.2), located in the 2013 incident, which is packed with the Jokra packer, contains a build path string. This string describes where the sample was compiled on disk. 

The path is:

Z:\Work\Make Troy\3RAT Project\3RATClient_Load\Release\3RATClient_Load.pdb

A Backdoor.Prioxer.B sample found in the same investigation also contains a build string:

Z:\Work\Make Troy\Concealment Troy\Exe_Concealment_Troy(Winlogon_Shell)\Dll\Concealment_Troy(Dll)\Release\Concealment_Troy.pdb

Clearly, the two separate pieces of malware were compiled from the same build source directory, Z:\work\Make Troy.

Work or fun?
If the Jokra packer is limited to the one group, then the connections between Backdoor.Prioxer.B and Trojan.Jokra are reliable. We believe that this packer is not publicly distributed because the number of detections for it are very low, are limited to Korea, and so far have only covered Jokra, the downloader, and the back door Trojan containing the “Z:” build string. This low prevalence is an indication that the packer is in use by only one group.

The connection between Backdoor.Prioxer.B and the 2011 attacks is not as clear cut. It is certainly suspicious that versions of Backdoor.Prioxer have been present during both attacks, but it could be explained away as the Trojan merely being discovered during the course of an investigation and not actually being related to the attacks. However, we think it is likely that the samples are related, given the Jokra connection.

Finally, the build path itself used in the Backdoor.Prioxer sample is informative. The path is “Z:\work”, and it seems unlikely that an independent hacktivist would use a folder labeled “work” to store their Trojan. For them, the development of a Trojan is not work, it is fun. The type of person who stores their code in a work folder is someone who is doing this professionally. The implication is that someone has been paid or ordered to perform these attacks, either as a contractor or as an employee.