THE HISTORY OF THE DARKSEOUL GROUP AND THE SONY INTRUSION MALWARE DESTOVER

Recommendations

Info

JOANAP.B DOWNLOADED BACKDOOR, SEP 2009 However, spreading is not the main payload of the B version of Joanap. Instead, it attempts to download and install a second stage malware. This malware, with the sha256 hash of c6d96be46ce3d616e0cb36d53c4fade7e954e74bfd2e34f9f15c4df58fc732d2, was hosted on the URL hxxp://www.booklist.co.kr/upload/img/200810/25.gif. It would be downloaded and saved to disk under the name sysfault.exe and executed. This malware is an installer, installing a service dll in the system folder under the name “sdnssec.dll”. This is a listenonly backdoor, establishing a listening socket on port 136. Similar to the Joanap.A variant and other KorDllbot-related backdoors, this supports a number of integer commands. The binary contains quite a lot of debug messages helpfully explaining the functionality of these. Command 0x1010 0x1011 0x1012 0x1013 0x1014 0x1015 0x1016 0x1017 0x1018 0x1019 0x1020 0x1021 0x1023 0x1030 0x1031 0x1032 0x10FF Function List drives File browse File copy File delete File upload (to target) File download (to botmaster) Execute file Change filetime Folder download (to botmaster) Test connect Run shell command Sleep File properties Process view Process kill Process kill by name Uninstall
JOANAP.C BACKDOOR, JUL 2010 The installer of Joanap.D (next entry) also actively deletes installed files named signtc.ax, signtm.ax, or signts.ax. Searching for these brought up an apparently preceding sample which uses one of these files - signtc.ax - for storing data. This sample appears to belong to a series of previous backdoors somewhat related to KorDllbot – example SHA-256 hash is 4b6078e3fa321b16e94131e6859bfca4503bcb440e087d5ae0f9c87f1c77b421. We have not analyzed this variant in detail.
Page 1 and 2: FROM SEOUL TO SONY: THE HISTORY OF
Page 3 and 4: INTRODUCTION Much has been written
Page 5 and 6: MALWARE ARCHEOLOGY As research into
Page 7 and 8: THE KORDLLBOT BACKDOOR FAMILY KorDl
Page 9 and 10: THE MicrosoftCodeSigningPCA CERTIFI
Page 11 and 12: KORDLLBOT-RELATED SMB WORMS The mal
Page 13 and 14: THE DOZER (AKA 7.7 DDOS) ATTACK The
Page 15 and 16: THE JOONGANG ILBO ATTACK In 2012, t
Page 17 and 18: THE KORHIGH MALWARE The Korhigh mal
Page 19 and 20: File timestamp matching function co
Page 21 and 22: NOV 2014: SONY ATTACK DESTOVER BACK
Page 23 and 24: THE KIMSUKY SYSTEM The Kimsuky malw
Page 25 and 26: WORKS CITED 1. FBI. FBI Liaison Ale
Page 27 and 28: APPENDIX: TECHNICAL DETAILS Note: D
Page 29: JOANAP.B WORM, OCT 2009 This malwar
Page 33 and 34: JOANAP.E WORM, AUG-SEP 2011 Joanap.
Page 35 and 36: THE DESTOVER FAMILY DESTOVER “B07
Page 37 and 38: DESTOVER “WINDOWSUPDATETRACING”
Page 39 and 40: Since we know the XOR key used, we
Page 41 and 42: DESTOVER “B8AC0905” BACKDOOR, M
Page 43: DESTOVER “DUUZER” BACKDOORS, MA
Page 46 and 47: Decoy documents used by the “e400
Page 48 and 49: DESTOVER “BASICHWP” BACKDOOR, S
Page 50 and 51: DESTOVER “VOLGMER2” BACKDOOR, J
Page 52 and 53: APPENDIX: ALGORITHMS AND OTHER INDI
Page 54 and 55: XOR-XX-SUB-XX obfuscation This is a
Page 56 and 57: DB-SUB API Obfuscation This is a fo
Page 58 and 59: Intbox encoding This encoding is us
Page 60 and 61: KorDllbot / Joanap AES keys “Bb10
Page 62 and 63: Destover “Volgmer2” SSL remote
Page 64 and 65: 3d2a7ea04d2247b49e2dcad63a179ae6a47
Page 66 and 67: 6d5d706f5356e087f5961ba2ed808c51876
Page 68 and 69: APPENDIX: MALWARE HASHES KorDllbot-
Page 70 and 71: Destover “b076e058” samples Dro
Page 72 and 73: Destover “Duuzer” samples X86 s
Page 74 and 75: APPENDIX: C&C DATA Joanap-related C
Page 76 and 77: Destover “Duuzer” C&C IP addres
Page 78: ule DarkSeoul_Obf_Caracachs : Backd

THE HISTORY OF THE DARKSEOUL GROUP AND THE SONY INTRUSION MALWARE DESTOVER

Create successful ePaper yourself

Delete template?

Save as template?