The recent cyber attack on news sites and banks in South Korea, which may have come from either North Korea or China, may have been initiated via a phishing campaign according to Trend Micro.
The ‘wiper’ malware that struck the banks and news sites may have come disguised as a document attached to an email –
“On March 19, we saw the first indications of this attack, where South Korean organizations received a spam message that contained a malicious attachment. The message posed as coming from a bank. The attachment is actually a downloader, which downloaded 9 files from several different URLs. To hide the malicious routines, a fake website is shown.”
In reality the ‘bank’ that sent the message was actually a host that Trend’s Deep Discovery threat scanning software recognised as having been used to spread malware before.
The infected document was, of course, not what it claimed to be and was in fact an installer for the ‘wiper’ malware. It also carried an additional payload, namely PuTTY SSH and SCP clients –
“The attachment, disguised as a document, was actually the installer for the “wiper” malware. It also carried PuTTY SSH and SCP clients, and a bash script designed to be used in an attack against Unix servers that the target machines had connection profiles for. When activated, the dropper attempted to create SSH sessions to Unix hosts with root privileges and erase key directories.”
Personally I’d love to know what it was about the original email message that got someone to click on it in the first place…