Spear phishes used to infect South Korean corporate networks

Share this article:

After analyzing data-wiping malware linked to recent attacks on South Korean corporations, researchers now know that the companies were hit when employees fell for a spear phishing ruse.

Sean Sullivan, security adviser at Finnish security firm F-Secure, told SCMagazine.com on Monday that the spurious emails included HTML-based attachments. 

“These were samples data-mined by analysts last week,” Sullivan said, adding that it is unknown, however, based on the samples, which organizations were targeted.

In a Monday blog post, Broderick Aquilino, a researcher at F-Secure, explained how attackers hid the real extension that victims were opening.

“Those with keen eyes would notice that the malware inside the archive is using double extensions combined with a very long file name to hide the real extension,” Aquilino wrote. “This is a common social engineering tactic that started during the era of mass mailing worms almost a decade ago. Therefore, we believe the archive is most likely sent as [an] attachment in spear phishing emails.”

The malware that F-Secure analyzed appeared to reach victims on March 17, though it was set to wipe files three days later, when companies throughout South Korea began reporting issues such as downed websites, blocked servers and infections that erased computer files.

According to The New York Times, NongHyup and Jeju, major banks in South Korea, reported malware outbreaks that destroyed computer files. The Times also reported that Shinhan Bank's internet banking servers were temporarily blocked on Wednesday. The computers of employees of KBS and MBC, television stations in South Korea, reportedly froze, as well, in addition to KBS' website becoming inoperable.

Security firm Symantec published a blog post on Friday, saying it found four variants of a data-wiping trojan, dubbed “Jokra," that were being used in the attacks. Two strains of the malware were designed to immediately wipe data upon execution, while the others were set to carry out the tasks at 2 p.m. and 3 p.m. last Wednesday.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.