Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

APT Attack Targets South Korea, United States for Years

Researchers at Symantec say a sophisticated backdoor Trojan known as Egobot is targeting confidential information from South Korean companies as well as corporation doing business with South Korea.

Researchers at Symantec say a sophisticated backdoor Trojan known as Egobot is targeting confidential information from South Korean companies as well as corporation doing business with South Korea.

The attack, which has been traced back to 2009, often begins with a spear-phishing email containing malware. So far, the targeted businesses have fallen into four main categories: finance and investment, infrastructure and development, government agencies and defense contractors. While many of the victims have been in South Korea, others are located in Australia, Russia, Brazil and the United States.

“The attackers gather information about their targets using social engineering techniques prior to luring them into the trap,” explained Symantec’s Jeet Morparia. “The targets are sent a spear phishing email, often pretending to be sent from a person they already know. The spear phishing email contains a relevant or enticing message to the target, prompting them to open the malicious attachment. The malicious attachment may be a shortcut .lnk file that points to a file hosted on GeoCities Japan.”

In addition to .LNK files, the attackers have also used malicious Microsoft Word documents that exploit CVE-2010-3333 and CVE-2011-0609. They have also taken to using .HWP files containing a script that downloads a malicious file.

Advertisement. Scroll to continue reading.

When the attachments are opened, the attachments download malware from GeoCities Japan. The dropped executable then retrieves a RAR file from GeoCities Japan. Both these files are disguised as XML documents in an attempt to pass as a clean file, Morparia noted.

 The executable RAR file drops a set of files responsible for moving files around, injecting a component into processes and stealing system information such as the Windows version, install language and installed service pack version.

“The main payload has specific functions that are potentially disastrous for targeted business executives. These functions include: recording video, recording audio, taking screenshots, uploading files to a remote server, obtaining a recent document list, searching for a string or pattern in a file [and] deleting and setting restore points,” Morparia blogged. “The stolen information is uploaded to remote servers hosted in Malaysia, Hong Kong, and Canada. The attackers have also updated their code to include 64-bit versions to work seamlessly across 64-bit platforms.”

Egobot has been able to stay under the radar due to a number of components responsible for masking its presence. For one, Egobot is compiled using an older version of Microsoft’s Detours software package functionality, which includes the detoured.dll file and is used by the attackers to attach malicious .dll files to legitimate Win32 binaries. Egobot can use this file to run itself in the memory of a legitimate process, disguising it as a benign process, the researcher explained. In addition, there is a coordinator component that prepares files by moving them into the appropriate folders and injecting them into legitimate processes, and certain versions of the backdoor include a timer so that the Trojan deletes itself after a certain date.

The Egobot attack has been linked to a parallel campaign that traces back to 2006, and uses an infostealer known as Nemim, and has targeted organizations in Japan, the U.S., India and the United Kingdom.

“One of the earliest samples contained a timer mechanism to determine when to remove itself from the compromised computer,” blogged Symantec researcher Andrea Lelli. “Removal was conditional and tied to a fixed date or based on the number of times the sample was executed. The timer mechanism feature was also found in samples of Egobot.”

An analysis of the Nemim binaries also revealed other connections to Egobot, including similarities in the command and control communication format and use of encryption. While Egobot is highly targeted and estimated to have infected less than 100 machines, Nemim, is believed to have impacted thousands.

“Nemim continues to operate today and has effectively evolved over time,” blogged Lelli. “For instance, the string encryption has become non-trivial, stolen digital certificates have been upgraded with newer ones, and there are now checks in place to detect common virtual machines. Indeed, for the last seven years the attackers have shown an unwavering commitment to innovation and have developed malware that is adaptable to fit the needs of two different attack campaigns.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.