Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

APT Attack Targets South Korea, United States for Years

Researchers at Symantec say a sophisticated backdoor Trojan known as Egobot is targeting confidential information from South Korean companies as well as corporation doing business with South Korea.

Researchers at Symantec say a sophisticated backdoor Trojan known as Egobot is targeting confidential information from South Korean companies as well as corporation doing business with South Korea.

The attack, which has been traced back to 2009, often begins with a spear-phishing email containing malware. So far, the targeted businesses have fallen into four main categories: finance and investment, infrastructure and development, government agencies and defense contractors. While many of the victims have been in South Korea, others are located in Australia, Russia, Brazil and the United States.

“The attackers gather information about their targets using social engineering techniques prior to luring them into the trap,” explained Symantec’s Jeet Morparia. “The targets are sent a spear phishing email, often pretending to be sent from a person they already know. The spear phishing email contains a relevant or enticing message to the target, prompting them to open the malicious attachment. The malicious attachment may be a shortcut .lnk file that points to a file hosted on GeoCities Japan.”

In addition to .LNK files, the attackers have also used malicious Microsoft Word documents that exploit CVE-2010-3333 and CVE-2011-0609. They have also taken to using .HWP files containing a script that downloads a malicious file.

When the attachments are opened, the attachments download malware from GeoCities Japan. The dropped executable then retrieves a RAR file from GeoCities Japan. Both these files are disguised as XML documents in an attempt to pass as a clean file, Morparia noted.

 The executable RAR file drops a set of files responsible for moving files around, injecting a component into processes and stealing system information such as the Windows version, install language and installed service pack version.

“The main payload has specific functions that are potentially disastrous for targeted business executives. These functions include: recording video, recording audio, taking screenshots, uploading files to a remote server, obtaining a recent document list, searching for a string or pattern in a file [and] deleting and setting restore points,” Morparia blogged. “The stolen information is uploaded to remote servers hosted in Malaysia, Hong Kong, and Canada. The attackers have also updated their code to include 64-bit versions to work seamlessly across 64-bit platforms.”

Egobot has been able to stay under the radar due to a number of components responsible for masking its presence. For one, Egobot is compiled using an older version of Microsoft’s Detours software package functionality, which includes the detoured.dll file and is used by the attackers to attach malicious .dll files to legitimate Win32 binaries. Egobot can use this file to run itself in the memory of a legitimate process, disguising it as a benign process, the researcher explained. In addition, there is a coordinator component that prepares files by moving them into the appropriate folders and injecting them into legitimate processes, and certain versions of the backdoor include a timer so that the Trojan deletes itself after a certain date.

The Egobot attack has been linked to a parallel campaign that traces back to 2006, and uses an infostealer known as Nemim, and has targeted organizations in Japan, the U.S., India and the United Kingdom.

“One of the earliest samples contained a timer mechanism to determine when to remove itself from the compromised computer,” blogged Symantec researcher Andrea Lelli. “Removal was conditional and tied to a fixed date or based on the number of times the sample was executed. The timer mechanism feature was also found in samples of Egobot.”

An analysis of the Nemim binaries also revealed other connections to Egobot, including similarities in the command and control communication format and use of encryption. While Egobot is highly targeted and estimated to have infected less than 100 machines, Nemim, is believed to have impacted thousands.

“Nemim continues to operate today and has effectively evolved over time,” blogged Lelli. “For instance, the string encryption has become non-trivial, stolen digital certificates have been upgraded with newer ones, and there are now checks in place to detect common virtual machines. Indeed, for the last seven years the attackers have shown an unwavering commitment to innovation and have developed malware that is adaptable to fit the needs of two different attack campaigns.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...