We discovered a phishing campaign targeting South Korean websites and users’ credentials using the watering hole technique. Labeling the campaign Soula, cybercriminals injected a malicious JS code in at least four websites for a fake login pop-up to appear at intervals before they can continue using the pages.Read More
Together with our colleagues at IssueMakersLab, we uncovered Operation Red Signature, an information theft-driven supply chain attack targeting organizations in South Korea. We discovered the attacks around the end of July, while the media reported the attack in South Korea on August 6.
The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the range of IP addresses of their target organizations.
9002 RAT also installed additional malicious tools: an exploit tool for Internet Information Services (IIS) 6 WebDav (exploiting CVE-2017-7269) and an SQL database password dumper. These tools hint at how the attackers are also after data stored in their target’s web server and database.Read More
What sort of interest would a businessman have in a news agency? That was the question that arose from our recent investigation on an attack that appears to target a media agency in South Korea. Shadow Force is a new backdoor that replaces a DLL called by a particular Windows service. Once that backdoor is open, the attacker…Read More
Today we’re releasing our research paper on the operations of the Yanbian Gang—a Chinese cybercriminal group that use mobile malware to siphon off money from account holders of South Korean banks. They are able to transfer up to US$1,600 worth of local currency from victims’ accounts every single day since 2013. This investigation is the result…Read More
In recent weeks, a major Korean electric utility has been affected by destructive malware, which was designed to wipe the master boot records (MBRs) of affected systems. It is believed that this MBR wiper arrived at the target systems in part via a vulnerability in the Hangul Word Processor (HWP), a commonly used application in South…Read More