South Korean Bank And News Hack May Have Come From Phishing Campaign

The recent cyber attack on news sites and banks in South Korea, which may have come from either North Korea or China, may have been initiated via a phishing campaign according to Trend Micro.

Targeted Attacks

The ‘wiper’ malware that struck the banks and news sites may have come disguised as a document attached to an email –

“On March 19, we saw the first indications of this attack, where South Korean organizations received a spam message that contained a malicious attachment. The message posed as coming from a bank. The attachment is actually a downloader, which downloaded 9 files from several different URLs. To hide the malicious routines, a fake website is shown.”
Trend Micro

In reality the ‘bank’ that sent the message was actually a host that Trend’s Deep Discovery threat scanning software recognised as having been used to spread malware before.

The infected document was, of course, not what it claimed to be and was in fact an installer for the ‘wiper’ malware. It also carried an additional payload, namely PuTTY SSH and SCP clients –

“The attachment, disguised as a document, was actually the installer for the “wiper” malware. It also carried PuTTY SSH and SCP clients, and a bash script designed to be used in an attack against Unix servers that the target machines had connection profiles for. When activated, the dropper attempted to create SSH sessions to Unix hosts with root privileges and erase key directories.”
Ars Technica

Personally I’d love to know what it was about the original email message that got someone to click on it in the first place…


About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind