We looked at our logs for this year and found more Korean websites infected:

  • koreatimes.com (Sep. 18, 2015)
  • filehon.com(May 30, 2015)
  • joara.com (May 3, 2015)
  • hometax.go.kr (May 3, 2015)
  • soriaudio.co.kr (April 23, 2015)
  • gomsee.com (March 16, 2015)
  • lottoplay.co.kr (Feb 6, 2015)
  • insight.co.kr (Jan 31, 2015)
  • filecity.co.kr (Jan 23, 2015)
  • nggol.com(Jan 6, 2015)
  • koreamanse.com(Jan 6, 2015)

 

The payload we got also specifically targets Korean banks by modifying the infected systems hosts file to redirect traffic from Korean banks to its controlled server. This means the attacker can craft a phishing website without the user knowing it is visiting a phishing site. It also targets Ahnlab by killing processes and deleting files specific to the software. Ahnlab is a popular antivirus software in South Korea.

KoreanSitesInfection (2)

                                                              Infection Flow

 

 

Website Infection

This following analysis will focus on the infection that took place in koreatimes.com

The culprit is a javascript file named “2013_gnb.js” which is an iframe injector leading to KaiXin EK landing page.

KaixinIframRedirect

 

It exploits the following vulnerabilities:

  • CVE-2014-6332 (IE)
  • CVE-2011-3544 (Java)
  • CVE-2015-0336 (flash)

 

We found interesting strings on the flash file which gives us an idea about the attackers platform on building its exploit and references to the attacker. Also an interesting string “King Lich V” was found on the flash file which  is likely the author’s signature. That string was found also found in other attacks involving Chinese group. Flash file was also packed using DoSWF.

flash_strings

 

Once the exploitation is successful, it has two options to execute its payload.  If it is running in Windows 7 or 8, it will fire a powershell script that will download an executable file from 199[.]188[.]106[.]161.

powershell_payload

 

Else, it executes a shellcode that downloads from “www[.]jfkdsajfk5263[.]com/server[.]jpg”. The former was basically used to bypass DEP

The binary downloaded is a banking malware with backdoor capabilities under the family of Venik.

 

Backdoor Venik

“Venik” is a Russian word for a besom, or broom, used in Russian bathhouses.

The binary downloaded is actually dropper which when executed installs a dll file in C:\{random} folder using random name like “c:\tqcsv\krxxc.rxk”. It executes this dll as:

  • “%system32%\rundll32.exe” “c:\tqcsv\krxxc.rxk”,Start

 

Creates mutex (M142.0.137.66:3201) and creates autostart key entry such as:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • EvtMgr – “c:\windows\system32\rundll32.exe “c:\tqcsv\krxxc.rxk”,Start”

After installation, it beacons out to its server by contacting the following urls:

  • http://142[.]0[.]137[.]68:803
  • http://142[.]0[.]137[.]67:805/index.php

It also opens a connection to 142.0.137.66 using TCP port  3201 and waits for a command from the server. The server can issue a command that starts a remote access service from the infected client.

venik_remoteAccessService2

 

It also collects files from %ProgramFiles% folder and mapped drives. It copies the files to a random file in C:\ using xcopy  and uploads the file to its server using an HTTP session.

retrieveFiles2

It modifies the hosts file (%system32%\drivers\etc\hosts) and adds the following lines. It effectively redirects the users visit of banking sites to a site controlled by the attacker which is actually a phishing site:

142.0.137.199 www.shinhan.com.or
142.0.137.199 search.daum.net
142.0.137.199 search.naver.com
142.0.137.199 www.kbstar.com.or
142.0.137.199 www.knbank.vo.kr
142.0.137.199 openbank.cu.vo.kr
142.0.137.199 www.busanbank.vo.kr
142.0.137.199 www.nonghyup.com.or
142.0.137.199 www.shinhan.ccm
142.0.137.199 www.wooribank.com.or
142.0.137.199 www.hanabank.ccm
142.0.137.199 www.epostbank.go.kr.or
142.0.137.199 www.ibk.co.kr.or
142.0.137.199 www.ibk.vo.kr
142.0.137.199 www.keb.co.kr.or
142.0.137.199 www.kfcc.co.kr.or
142.0.137.199 www.lottirich.co.ir
142.0.137.199 www.nlotto.co.ir
142.0.137.199 www.gmarket.net
142.0.137.199 nate.com
142.0.137.199 www.nate.com
142.0.137.199 daum.com
142.0.137.199 www.daum.net
142.0.137.199 daum.net
142.0.137.199 www.zum.com
142.0.137.199 zum.com
142.0.137.199 naver.com
142.0.137.199 www.nonghyup.com
142.0.137.199 www.naver.com
142.0.137.199
142.0.137.199 www.nate.net
142.0.137.199 hanmail.net
142.0.137.199 www.hanmail.net
142.0.137.199 www.hanacbs.com
142.0.137.199 www.kfcc.co.kr
142.0.137.199 www.kfcc.vo.kr
142.0.137.199 www.daum.net
142.0.137.199 daum.net
142.0.137.199 www.kbstir.com
142.0.137.199 www.nonghuyp.com
142.0.137.199 www.shinhon.com
142.0.137.199 www.wooribank.com
142.0.137.199 www.ibk.co.kr
142.0.137.199 www.epostbenk.go.kr
142.0.137.199 www.keb.co.kr
142.0.137.199 www.citibank.co.kr.or
142.0.137.199 www.citibank.vo.kr
142.0.137.199 www.standardchartered.co.kr.or
142.0.137.199 www.standardchartered.vo.kr
142.0.137.199 www.suhyup-bank.com.or
142.0.137.199 www.suhyup-bank.com
142.0.137.199 www.kjbank.com.or
142.0.137.199 www.kjbank.com
142.0.137.199 openbank.cu.co.kr.or
142.0.137.199 openbank.cu.co.kr
142.0.137.199 www.knbank.co.kr.or
142.0.137.199 www.knbank.co.kr
142.0.137.199 www.busanbank.co.kr.or
142.0.137.199 www.busanbank.co.ir
142.0.137.199 www.suhyup-bank.com
142.0.137.199 www.suhyup-bank.ccm
142.0.137.199 www.standardchartered.co.kr

                               Host File Modification

The phishing site asks for sensitive information that are not usually ask during a normal online banking session. 

phishSite

 

There are also times that it will ask the user to visit other banking sites leading to phishing sites. This happens when it is likely that the phishing site does not currently support a bank.

wooribank

 

Adding to its attack on Korean related services, it tries to disable Ahnlab related files and process. Ahnlab is a popular antivirus software in South Korea.

KilllAhnlabprocess

 

As of September 25, we verified that koreatimes.com is clean from this infection.

Related Samples

Venik Dropper c242d641d9432f611360db36f2075f67
Packer UPX
Filename 66.exe

 

Venik DLL a6ec0fbe1ad821a3fb527f39e180e378
Packer RLPack
Filename {random}

 

Flash Exploit b9a5a00e134fe0df217c01145319b1cb
Packer DoSWF
Filename ad.swf

 

 

Credits to Alex Burt for his help in discovery of this  infection.