Researchers from Seculert have shared details on the malware behind a string of attacks used by several Chinese-speaking groups over the last four years to target different worldwide organizations and nation-states. The most recent set of attacks targeted dozens of organizations in South Korea.
Called “PinkStats“, the malware is a downloader, or rather one of its primary functions is to act as a gateway for additional malicious payloads. Depending on the type of attack, PinkStats will communicate with the Command & Control server once installed and receive any additional malware that’s required.
“We have identified numerous different campaigns since 2009 using the PinkStats attacking tool as the main download component. One of the latest operations targeted dozens of organizations in South Korea,” Seculert explains in their post.
Seculert first discovered the threat over two months ago using its traffic log analysis system, Aviv Raff, CTO at Seculert told SecurityWeek.
When they discovered an active C&C server, Seculert found more than 1,000 systems connected to it.
“The machines belonging mainly to universities and other educational institutions, have been targeted by silently installing the PinkStats malware, using “arp” as the name of the infection group.”
During the attacks in South Korea, PinkStats downloaded a common Chinese attack tool called zxarps, which is used as a local network worm. It performs ARP poisoning in order to inject an IFRAME into active Web sessions. Part of the IFRAME contains an ActiveX installation that was valid as recent as May 8, using Microsoft Corporation as the product name, and fraudulent South Korean company as the publisher.
After that, PinkStats installed a second malicious payload, which centers on DDoS attacks. This component file was masked as V3Light Framework software from AhnLab, a South Korean Anti-Virus company.
“Up until now, the adversary did not seem to send any specific instructions to the installed DDoS malware. However, with the recent incidents of DDoS attacks against South Korean infrastructure, it is reasonable to assume that this state could change anytime soon,” the post adds.
“This is not the first time we have seen Chinese attackers target entities from other Asian countries. However, while it was speculated that the Chinese are behind the recent DDoS attack against South Korea’s critical infrastructure, PinkStats seems to be the first real proof that Chinese-speaking adversaries are indeed targeting South Koreans.”
Related Reading: South Korea Sounds Alert After Official Websites Hacked
Additional reporting by Mike Lennon
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
