Researchers from FireEye shared details on Monday of an attack that appears to be after targets in Russia, and seems to be originating from an attacker in Korea.
According to FireEye, the attack is rather standard, and is delivered by a malicious Microsoft Word document attached to an email. The exploit drops an executable, which then drops another .EXE and two .DLLs. These files then “create multiple components that aggravate AV detection and cleanup,” FireEye said. A clean, legitimate document is embedded inside the malicious document, and launched after the exploit is successful, FireEye added.
FireEye named the malware “Sanny” for the simple reason that an email address used by the attacker was “[email protected]”.
The document was targeting users whose language is in the Cyrillic character set which is used in Russia, but also by many millions of users in Europe and Asia. In 2011 approximately 252 million people in Europe and Asia used Cyrillic—about half of those being in Russia.
From what FireEye researchers can see, compromised systems appear to be a mix of malware analysts and legitimate users, indicating that the malware has popped up on the radar screens of other security firms as well.
Security Resource: Download the Advanced Malware Survival Kit
During their analysis, FireEye researchers combed through the full list of IP addresses scraped from the victim logs. Some of them are AV companies or security researchers, they said, but the majority are believed to be real victims in Russia. Based on what was found, targets appear to include Russian Space Research, information, education and telecommunications industries.
The malware is stealing many different types of passwords/credentials from victims’ machines, including the extraction of MS Outlook accounts and accounts data, along with stealing username/passwords that Firefox remembers for different web services such as Hotmail, Facebook, etc.
The command and control channel is embedded on “nboard.net”, a legitimate Korean message board, FireEye said. The malware also contains a fallback mechanism so that if the message board is unavailable, it attempts to check mail connectivity through a Korean Yahoo! mail server.
“At another segment we observed malware stealing username/passwords that Firefox remembers Apart from stealing different types of credentials, it also profiles the victims, e.g., collecting the victim_locale, victim_region, and other relevant information,” FireEye researchers Alex Lanstein and Ali Islam noted in the blog post.
In any attack, attribution is always challenging, but FireEye has strong reasons to believe that this attack originated from Korea, or at least that the author of the malware is well versed in the Korean language. To start, the SMTP mail server and Command and Control server are in Korea. Additionally, Korean fonts “Batang” and “KP CheongPong” were used in the document. Furthermore, the attacker used a Korean message board as the C&C, indicating that it’s likely that either he or she is a native speaker or is at least comfortable with the Korean language, FireEye noted.
“The attacker is continuously monitoring the CnC to check new victims and their stolen data,” the researchers noted. “It looks like the attacker has a two-day cycle, i.e., after every two days, he/she collects the stolen data and deletes it from the CnC server. In the last five days, the attacker collected and deleted the data three times approximately after every two days.”
The command and control server was still operational and and receiving data from different victims as of Monday.
Related Resource: Download the Advanced Malware Survival Kit
