Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

‘PinkStats’ Malware Used in Attacks Against South Korea, Others

Researchers from Seculert have shared details on the malware behind a string of attacks used by several Chinese-speaking groups over the last four years to target different worldwide organizations and nation-states. The most recent set of attacks targeted dozens of organizations in South Korea.

Researchers from Seculert have shared details on the malware behind a string of attacks used by several Chinese-speaking groups over the last four years to target different worldwide organizations and nation-states. The most recent set of attacks targeted dozens of organizations in South Korea.

Called “PinkStats“, the malware is a downloader, or rather one of its primary functions is to act as a gateway for additional malicious payloads. Depending on the type of attack, PinkStats will communicate with the Command & Control server once installed and receive any additional malware that’s required.

“We have identified numerous different campaigns since 2009 using the PinkStats attacking tool as the main download component. One of the latest operations targeted dozens of organizations in South Korea,” Seculert explains in their post.

Seculert first discovered the threat over two months ago using its traffic log analysis system, Aviv Raff, CTO at Seculert told SecurityWeek.

When they discovered an active C&C server, Seculert found more than 1,000 systems connected to it.

“The machines belonging mainly to universities and other educational institutions, have been targeted by silently installing the PinkStats malware, using “arp” as the name of the infection group.”

During the attacks in South Korea, PinkStats downloaded a common Chinese attack tool called zxarps, which is used as a local network worm. It performs ARP poisoning in order to inject an IFRAME into active Web sessions. Part of the IFRAME contains an ActiveX installation that was valid as recent as May 8, using Microsoft Corporation as the product name, and fraudulent South Korean company as the publisher.

Advertisement. Scroll to continue reading.

After that, PinkStats installed a second malicious payload, which centers on DDoS attacks. This component file was masked as V3Light Framework software from AhnLab, a South Korean Anti-Virus company.

“Up until now, the adversary did not seem to send any specific instructions to the installed DDoS malware. However, with the recent incidents of DDoS attacks against South Korean infrastructure, it is reasonable to assume that this state could change anytime soon,” the post adds.

“This is not the first time we have seen Chinese attackers target entities from other Asian countries. However, while it was speculated that the Chinese are behind the recent DDoS attack against South Korea’s critical infrastructure, PinkStats seems to be the first real proof that Chinese-speaking adversaries are indeed targeting South Koreans.”

Related Reading: South Korea Sounds Alert After Official Websites Hacked

Additional reporting by Mike Lennon

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...