Threat Intelligence, Incident Response, Malware, TDR

Research sheds light on “Dark Seoul” sabotage gang


Over the past four years a politically motivated group has targeted companies, mostly in South Korea, by planting trojans capable of wiping data, shuttering websites through distributed denial-of-service (DDoS) attacks and stealing sensitive corporate information.

According to Symantec, the gang behind these attacks, known as Dark Seoul, targeted South Korean banks and news organizations in March, a Wednesday blog post by the security firm said. Those incidents included a trojan named Jokra, which targeted Linux machines and overwrote master boot records (MBR) and all data stored on it.

Researchers have now found that the group also used a downloader dubbed Castov to target South Korean financial institutions in May and a government server just this week. The downloader dropped malware that levied DDoS attacks against the server and stole data from banks in the country.

Symantec has not determined from where the Dark Seoul gang is operating, but they believe campaigns have been politically motivated due to the theme of messages used to overwrite files. The United States also has been targeted, such as on July 4, 2009 when miscreants debilitated websites with a trojan called Dozer.

On Tuesday, the 63rd anniversary of the start of the Korean War, the Castov trojan was used to DDoS South Korean government websites.

Liam O'Murchu, manager of operations at Symantec Security Response, told on Friday that the attacks have demonstrated a high level of coordination, and that Dark Seoul seeks to spy on their targets prior to sabotaging data and operations.

“The attacks are quite organized and they do drop backdoors as part of the attacks,” O'Murchu said. “I believe they do this so they can analyze the best way to damage [organizations]. Then they'll try to abuse their systems to distribute malware."

O'Murchu said attackers have followed a pattern over the years where they determine a company's patching schedule, then use a tool that the administrator would use to patch systems, but instead utilize it to distribute malware.

“They look to see how that company distributes their patches, so they can send the malware to every computer in the business and wipe them all in the same day,” O'Murchu said. Saboteurs have also stolen administrators' login credentials to distribute trojans, he added

On Thursday, Symantec also reported about a wiper trojan called Korhigh, which was recently used by a separate, unidentified group to delete computer files and overwrite data on the master boot record (MBR) of South Korean organizations.

O'Murchu said that the success of groups like Dark Seoul have encouraged other hackers with enough resources to opt for campaigns that sabotage companies' operations, as opposed to merely stealing user credentials to carry out fraud.

“People has seen other threats doing this and realized you can cause a lot of damage by wiping data or [carrying out] denial-of-service,” O'Murchu said. “In the last couple of years, we've seen multiple groups that are causing high impact damage.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.