Researchers from Seculert have shared details on the malware behind a string of attacks used by several Chinese-speaking groups over the last four years to target different worldwide organizations and nation-states. The most recent set of attacks targeted dozens of organizations in South Korea.
Called “PinkStats“, the malware is a downloader, or rather one of its primary functions is to act as a gateway for additional malicious payloads. Depending on the type of attack, PinkStats will communicate with the Command & Control server once installed and receive any additional malware that’s required.
“We have identified numerous different campaigns since 2009 using the PinkStats attacking tool as the main download component. One of the latest operations targeted dozens of organizations in South Korea,” Seculert explains in their post.
Seculert first discovered the threat over two months ago using its traffic log analysis system, Aviv Raff, CTO at Seculert told SecurityWeek.
When they discovered an active C&C server, Seculert found more than 1,000 systems connected to it.
“The machines belonging mainly to universities and other educational institutions, have been targeted by silently installing the PinkStats malware, using “arp” as the name of the infection group.”
During the attacks in South Korea, PinkStats downloaded a common Chinese attack tool called zxarps, which is used as a local network worm. It performs ARP poisoning in order to inject an IFRAME into active Web sessions. Part of the IFRAME contains an ActiveX installation that was valid as recent as May 8, using Microsoft Corporation as the product name, and fraudulent South Korean company as the publisher.
After that, PinkStats installed a second malicious payload, which centers on DDoS attacks. This component file was masked as V3Light Framework software from AhnLab, a South Korean Anti-Virus company.
“Up until now, the adversary did not seem to send any specific instructions to the installed DDoS malware. However, with the recent incidents of DDoS attacks against South Korean infrastructure, it is reasonable to assume that this state could change anytime soon,” the post adds.
“This is not the first time we have seen Chinese attackers target entities from other Asian countries. However, while it was speculated that the Chinese are behind the recent DDoS attack against South Korea’s critical infrastructure, PinkStats seems to be the first real proof that Chinese-speaking adversaries are indeed targeting South Koreans.”
Related Reading: South Korea Sounds Alert After Official Websites Hacked
Additional reporting by Mike Lennon