On Tuesday, South Korea raised the country’s cyber security alarm from level 1 to 3, because of several incidents that affected different government and news websites in South Korea. One of the several attacks related to the June 25 security incident involved the compromise of the auto-update mechanism related to the legitimate installer file SimDisk.exe, which we were able to get a sample of. SimDisk is a file-sharing and storage service.
Most software vendors’ auto-update mechanisms are intended to be non-intrusive to the user experience in order to help consumers keep their software patched and updated with the latest versions of the software. This is extremely important in preventing exploit attacks that leverage software vulnerabilities in order to perpetrate cybercrime or targeted attacks.
In the SimDisk case, the legitimate software are configured to automatically download updates from a specific website. However, this website was compromised with a modified version of the installer (detected as TROJ_DIDKR.A). The modified version drops a copy of the legitimate installer in order to simulate what should typically happen. But it actually also drops another file, which is a malicious component that connects to a malicious location, allowing the infection chain to play out as intended.
Figure 1. Possible attack scenario
All the files noted above are detected as TROJ_DIDKR.A. The malicious file which connects to the Tor network takes its name from any process that is currently running on the system.
We are currently investigating this and related incidents. We currently do not have exact details about the method of compromise, but this shows that users also need to be vigilant about the security of the auto-update mechanism of the vendors they choose to trust. Software vendors should also prioritize safeguarding product servers and the overall security of their network using products, considering the impact that a compromise in this area has on their software’s users.
Trend Micro blocks all the malicious URLs related to this specific attack and also the malicious component of the compromised installer file. Trend Micro Deep Discovery helps enterprises defend their networks through network-wide visibility, insight, and control.
With additional analysis from Threat researchers Harli Aquino and Nikko Tamaña
Update as of June 26, 6:35 AM PDT
We also found evidence that the same technique of compromising the auto-update mechanisms of web application installers is being used in other attacks. Specifically, Songsari_setup.exe, a legitimate installer file, has also been modified to drop a malicious component that will connect to a URL to download files. Our detection for these compromised installer files and other related files is TROJ_DIDKR.A.
Figure 2. Possible attack scenario
With additional analysis from Network threat researcher Dexter To