Security Experts:

Attacks on European Firms Suggest Return of "Dark Seoul" Group

The tools and techniques used by malicious actors in attacks targeting European companies indicate that the group known for wreaking havoc in South Korea in 2013 might have returned.

A series of attacks were launched in 2013 against various organizations in South Korea, including broadcasters, financial companies, and government agencies. Experts determined at the time that the cyber espionage campaign, dubbed Dark Seoul and Operation Troy, dated back to at least 2009. The pieces of malware used by the attackers had been designed not only to steal sensitive information, but also to destroy the master boot record (MBR) of infected machines.

South Korean officials blamed North Korea for the attacks, but Pyongyang denied any involvement.

In a July 2013 report detailing the attacks, McAfee noted that one of the pieces of malware used in Operation Troy was “TDrop,” a threat that disguised itself as a security product to avoid detection.

After two years in which no other Dark Seoul attacks were reported, Palo Alto Networks identified malicious code samples with behavior similar to the pieces of malware used in the 2013 campaign. The attacks spotted by the security firm, dating back to June 2015, had been targeted at the transportation and logistics sector in Europe.

Experts believe the attacks started with a spear-phishing email designed to deliver a piece of malware bundled with an installer for security camera video playback software offered by an industrial control systems (ICS) organization.

An analysis of the Trojan’s behavior and binary code revealed similarities to the tools used in the 2013 DarkSeoul attacks. While there isn’t sufficient evidence to confirm it, the reemergence of the tools suggests that the group behind the attacks on South Korea is back, Palo Alto Networks said.

The new piece of malware discovered by researchers, dubbed by Palo Alto “TDrop2,” appears to be a successor of “TDrop.” The initial commands sent to the malware are designed for basic reconnaissance of the infected host.

The list of similarities between the new and the old malware includes a distinct string encryption routine and network communications.

In the recent attacks, the threat group used compromised South Korean and European websites as command and control (C&C) servers. Researchers say it’s unclear how these websites got hacked, but they all use shared hosting and they run out-of-date software that could be plagued by serious vulnerabilities.

There are some significant differences between the recent and the 2013 attacks, including the the targets, which this time are not in South Korea, and the fact that the malware has not exhibited any destructive functionality, although experts have pointed out that TDrop2 is capable of downloading additional components.

Palo Alto Networks believes the differences are outweighed by the similarities, and the company believes it’s highly likely that we’re witnessing a reemergence of the Dark Seoul attackers.

“It is not uncommon for threat actors to become dormant for some period of time, especially after public unveiling as the groups behind Dark Seoul/Operation Troy experienced. What we do know is that changing infrastructure and toolsets can be challenging, and it is not nearly as common that a very specialized tool developed for specific teams would be shared amongst threat actors,” Palo Alto Networks said in a blog post.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.