Incident Response, Malware, TDR

Malicious program enhances APT campaign against South Korea

PinkStats, a downloader that spreads additional malware once it infects its target, has been repeatedly used in advanced persistent threat (APT) campaigns around the globe over the past four years, researchers have found.

The malicious program masquerades as legitimate web statistics software and, in the most recent APT campaign starting two months ago, saboteurs, believed to be based in China, infected more than 1,000 machines belonging to universities and other educational institutions in South Korea.

Aviv Raff, CTO and co-founder of Seculert, an Israel-based security firm, said in a Tuesday blog post that the malware displays an admin panel that looks similar to a panel used by most web analytics tools.

Other malware components unleashed by PinkStats include a worm commonly used in China, called zxarps, which performs address resolution protocol (ARP) poisoning, when an attacker changes the Media Access Control (MAC) address of a victim to intercept communications between the infected computer and another machine in the local area network.

The worm also injects an IFRAME tag into active web sessions on new victims' machines, spreading PinkStats to others in the local network, Raff wrote.

Zxarps spreads unbeknownst to victims because it is disguised as an install of ActiveX software (a software framework developed by Microsoft).

A warning sign is that the ActiveX file is signed by “Thawte,” a certificate authority based in South Africa, but issued to a fake company called “Liaocheng YuanEr Technology Co.”

PinkStats' second malware component is a distributed denial-of-service (DDoS) tool, which disguises itself as fake V3Light Framework software owned by South Korean anti-virus company AhnLab.

Raff said this campaign showcases the “first real proof that Chinese-speaking adversaries are indeed targeting South Koreans." Earlier this year, it was speculated that data-wiping malware, dubbed Jokra, which crippled critical businesses, including broadcast companies and banks throughout South Korea in March, was the work of Chinese hackers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.