Infected Korean Website Installs Banking Malware

On September 18, 2015, we saw an activity on koreatimes.com where we captured a malicious binary. We investigated further and found that this campaign is specifically targeted to Korean sites and Korean banks. 

We looked at our logs for this year and found more Korean websites infected:

• koreatimes.com (Sep. 18, 2015)
• filehon.com(May 30, 2015)
• joara.com (May 3, 2015)
• hometax.go.kr (May 3, 2015)
• soriaudio.co.kr (April 23, 2015)
• gomsee.com (March 16, 2015)
• lottoplay.co.kr (Feb 6, 2015)
• insight.co.kr (Jan 31, 2015)
• filecity.co.kr (Jan 23, 2015)
• nggol.com(Jan 6, 2015)
• koreamanse.com(Jan 6, 2015)

The payload we got also specifically targets Korean banks by modifying the infected systems hosts file to redirect traffic from Korean banks to its controlled server. This means the attacker can craft a phishing website without the user knowing it is visiting a phishing site. It also targets Ahnlab by killing processes and deleting files specific to the software. Ahnlab is a popular antivirus software in South Korea.

                                                              Infection Flow

Website Infection

This following analysis will focus on the infection that took place in koreatimes.com

The culprit is a javascript file named “2013_gnb.js” which is an iframe injector leading to KaiXin EK landing page.

It exploits the following vulnerabilities:

• CVE-2014-6332 (IE)
• CVE-2011-3544 (Java)
• CVE-2015-0336 (flash)

We found interesting strings on the flash file which gives us an idea about the attackers platform on building its exploit and references to the attacker. Also an interesting string “King Lich V” was found on the flash file which  is likely the author’s signature. That string was found also found in other attacks involving Chinese group. Flash file was also packed using DoSWF.

Once the exploitation is successful, it has two options to execute its payload.  If it is running in Windows 7 or 8, it will fire a powershell script that will download an executable file from 199[.]188[.]106[.]161.

Else, it executes a shellcode that downloads from “www[.]jfkdsajfk5263[.]com/server[.]jpg”. The former was basically used to bypass DEP

The binary downloaded is a banking malware with backdoor capabilities under the family of Venik.

Backdoor Venik

“Venik” is a Russian word for a besom, or broom, used in Russian bathhouses.

The binary downloaded is actually dropper which when executed installs a dll file in C:\{random} folder using random name like “c:\tqcsv\krxxc.rxk”. It executes this dll as:

• “%system32%\rundll32.exe” “c:\tqcsv\krxxc.rxk”,Start

Creates mutex (M142.0.137.66:3201) and creates autostart key entry such as:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • EvtMgr – “c:\windows\system32\rundll32.exe “c:\tqcsv\krxxc.rxk”,Start”

After installation, it beacons out to its server by contacting the following urls:

• http://142[.]0[.]137[.]68:803
• http://142[.]0[.]137[.]67:805/index.php

It also opens a connection to 142.0.137.66 using TCP port  3201 and waits for a command from the server. The server can issue a command that starts a remote access service from the infected client.

It also collects files from %ProgramFiles% folder and mapped drives. It copies the files to a random file in C:\ using xcopy  and uploads the file to its server using an HTTP session.

It modifies the hosts file (%system32%\drivers\etc\hosts) and adds the following lines. It effectively redirects the users visit of banking sites to a site controlled by the attacker which is actually a phishing site:

142.0.137.199 www.shinhan.com.or
142.0.137.199 search.daum.net
142.0.137.199 search.naver.com
142.0.137.199 www.kbstar.com.or
142.0.137.199 www.knbank.vo.kr
142.0.137.199 openbank.cu.vo.kr
142.0.137.199 www.busanbank.vo.kr
142.0.137.199 www.nonghyup.com.or
142.0.137.199 www.shinhan.ccm
142.0.137.199 www.wooribank.com.or
142.0.137.199 www.hanabank.ccm
142.0.137.199 www.epostbank.go.kr.or
142.0.137.199 www.ibk.co.kr.or
142.0.137.199 www.ibk.vo.kr
142.0.137.199 www.keb.co.kr.or
142.0.137.199 www.kfcc.co.kr.or
142.0.137.199 www.lottirich.co.ir
142.0.137.199 www.nlotto.co.ir
142.0.137.199 www.gmarket.net
142.0.137.199 nate.com
142.0.137.199 www.nate.com
142.0.137.199 daum.com
142.0.137.199 www.daum.net
142.0.137.199 daum.net
142.0.137.199 www.zum.com
142.0.137.199 zum.com
142.0.137.199 naver.com
142.0.137.199 www.nonghyup.com
142.0.137.199 www.naver.com
142.0.137.199
142.0.137.199 www.nate.net
142.0.137.199 hanmail.net
142.0.137.199 www.hanmail.net
142.0.137.199 www.hanacbs.com
142.0.137.199 www.kfcc.co.kr
142.0.137.199 www.kfcc.vo.kr
142.0.137.199 www.daum.net
142.0.137.199 daum.net
142.0.137.199 www.kbstir.com
142.0.137.199 www.nonghuyp.com
142.0.137.199 www.shinhon.com
142.0.137.199 www.wooribank.com
142.0.137.199 www.ibk.co.kr
142.0.137.199 www.epostbenk.go.kr
142.0.137.199 www.keb.co.kr
142.0.137.199 www.citibank.co.kr.or
142.0.137.199 www.citibank.vo.kr
142.0.137.199 www.standardchartered.co.kr.or
142.0.137.199 www.standardchartered.vo.kr
142.0.137.199 www.suhyup-bank.com.or
142.0.137.199 www.suhyup-bank.com
142.0.137.199 www.kjbank.com.or
142.0.137.199 www.kjbank.com
142.0.137.199 openbank.cu.co.kr.or
142.0.137.199 openbank.cu.co.kr
142.0.137.199 www.knbank.co.kr.or
142.0.137.199 www.knbank.co.kr
142.0.137.199 www.busanbank.co.kr.or
142.0.137.199 www.busanbank.co.ir
142.0.137.199 www.suhyup-bank.com
142.0.137.199 www.suhyup-bank.ccm
142.0.137.199 www.standardchartered.co.kr

                               Host File Modification

The phishing site asks for sensitive information that are not usually ask during a normal online banking session. 

There are also times that it will ask the user to visit other banking sites leading to phishing sites. This happens when it is likely that the phishing site does not currently support a bank.

Adding to its attack on Korean related services, it tries to disable Ahnlab related files and process. Ahnlab is a popular antivirus software in South Korea.

As of September 25, we verified that koreatimes.com is clean from this infection.

Related Samples

Credits to Alex Burt for his help in discovery of this  infection.