Researchers at Trend Micro have detailed the inner workings of an ongoing attack campaign that for years has quietly been targeting organizations and institutions tied to the South Korean government.
Known as Heartbeat, the attack campaign is believed to have been active since at least November 2009. According to Trend Micro, the first HeartBeat remote access tool (RAT) component was discovered in June 2012 in the computer network of a Korean newspaper.
“The HeartBeat campaign is an isolated APT case that targets organizations within South Korea only,” blogged Trend Micro Threat Researcher Roland Dela Paz. “Based on our research, the campaign [had] started by at least November 2009. They target organizations that are directly or in some ways related to the South Korean government. Specifically, the HeartBeat campaign targets the following sectors: political parties; media outlets; a national policy research institute; a military branch of the South Korean armed forces; a small business sector organization [and] branches of the South Korean government.”
After the RAT component was discovered, further investigation revealed the campaign had been distributing the component to targets in 2011 and the first half of 2012. A second component was discovered to date back to November 2009.
“Variants of their RAT contains an embedded campaign code that mostly contains strings that describes their respective decoy documents and a campaign date in MMDD format,” Dela Paz blogged.
Once on a victim’s computer, the malware opens up a backdoor and gives the attackers full access to the machine. While the report said it is unclear how the malware arrives on victims’ systems, Trend Micro suspects spear-phishing emails were used. In fact, the packaged malware used the icon of the decoy document to look legitimate, Trend Micro stated in the report. If the decoy is an XLS file for example, the package will appear to have an XLS document icon.
“Based on the samples we collected, the campaign’s decoy documents used the file formats .JPG, .PDF, XLS, and HWP, the Korean government standard word processor format,” according to the report. “One of the previous HeartBeat attacks even dropped a pornographic .JPG image as decoy. Below is a screenshot of a Hangul Word Processor (.HWP) document used as bait in November 2011. Its document title roughly translates to ‘Information to the President.hwp’.”
“Once users open the packaged malicious file, the actual document is displayed to the user while a RAT installer in .EXE format runs in the background,” the report continues. “The RAT installer, on the other hand, drops a .DLL file that is then injected to the legitimate process svchost.exe. The injected code in svchost.exe then connects to the malware command and control (C&C) server to register infection and wait for remote commands.”
The campaign’s command and control domains appear to use a site redirection service, with the sites redirecting to IP addresses from Internet Service Providers (ISPs) in Armenia, Japan, India, Korea and the United States. The attackers updated the IP address of some of their C&C domains, and all of their IP addresses belong to legitimate ISPs. Because of this, researchers suspect these IP addresses are compromised hosts that act as proxy servers that redirect traffic to the actual C&C servers.
“Clues relating to the attackers remain very limited,” according to the report. “Using compromised hosts as C&C proxy servers minimizes the possibility of tracking potential threat actors.”
That doesn’t mean there were no potential clues however. In order to track their campaigns and victims, the attackers used campaign codes that contained campaign dates and strings that described specific campaigns. These codes were embedded in the RAT binaries, and sent to their C&C servers along with information about the targets’ systems. Some of these codes included Chinese words such as guohui, xuehui and minzhu – though some of the C&C domain names contained English words.
“While having an isolated target may have helped them stay under the security industry’s radar, the attackers illustrated that they were very careful but persistent,” according to the report. “Understanding targeted campaigns and their methodologies is fundamental in protecting both end users and organizations. Not only does it help in coming up with effective defensive strategies through multiple protection layers, it also helps with predicting possible targets in the future and ultimately, raise awareness.”