Malicious program enhances APT campaign against South Korea

Share this article:
FBI ransomware scam finds new home on the Mac
FBI ransomware scam finds new home on the Mac

PinkStats, a downloader that spreads additional malware once it infects its target, has been repeatedly used in advanced persistent threat (APT) campaigns around the globe over the past four years, researchers have found.

The malicious program masquerades as legitimate web statistics software and, in the most recent APT campaign starting two months ago, saboteurs, believed to be based in China, infected more than 1,000 machines belonging to universities and other educational institutions in South Korea.

Aviv Raff, CTO and co-founder of Seculert, an Israel-based security firm, said in a Tuesday blog post that the malware displays an admin panel that looks similar to a panel used by most web analytics tools.

Other malware components unleashed by PinkStats include a worm commonly used in China, called zxarps, which performs address resolution protocol (ARP) poisoning, when an attacker changes the Media Access Control (MAC) address of a victim to intercept communications between the infected computer and another machine in the local area network.

The worm also injects an IFRAME tag into active web sessions on new victims' machines, spreading PinkStats to others in the local network, Raff wrote.

Zxarps spreads unbeknownst to victims because it is disguised as an install of ActiveX software (a software framework developed by Microsoft).

A warning sign is that the ActiveX file is signed by “Thawte,” a certificate authority based in South Africa, but issued to a fake company called “Liaocheng YuanEr Technology Co.”

PinkStats' second malware component is a distributed denial-of-service (DDoS) tool, which disguises itself as fake V3Light Framework software owned by South Korean anti-virus company AhnLab.

Raff said this campaign showcases the “first real proof that Chinese-speaking adversaries are indeed targeting South Koreans." Earlier this year, it was speculated that data-wiping malware, dubbed Jokra, which crippled critical businesses, including broadcast companies and banks throughout South Korea in March, was the work of Chinese hackers.

Share this article:

Sign up to our newsletters

More in News

Incapsula mitigates multi-vector DDoS attack lasting longer than a month

Incapsula mitigates multi-vector DDoS attack lasting longer than ...

Incapsula's scrubbing servers were able to filter out more than 50 petabits of malicious DDoS traffic aimed at a video game company for longer than a month.

UPS announces breach impacting 51 U.S. locations

The shipping and printing provider said malware has been present on some stores' computer systems since mid-January.

'Machete' espionage campaign targets orgs in Venezuela, Ecuador

The campaign targets Spanish speaking victims, which also appears to be the native language of attackers.