THE HISTORY OF THE DARKSEOUL GROUP AND THE SONY INTRUSION MALWARE DESTOVER

Recommendations

Info

Decoy documents used by the “e4004c1f” variant include a Korean text on the LDAP protocol. Apart from the similarities with other malware established in the publications mentioned above, this variant has been distributed in a particular installer which includes the backdoor in an embedded password-protected zip archive. The password for this zip archive is “!1234567890 dghtdhtrhgfjnui$%^^&fdt” - identical to the password used by Destover “Volgmer” backdoors already detailed in this paper. There are also code similarities with Volgmer elsewhere – for example, the function to declare network API’s from ws2_32.dll is identical, and the API names are encoded using the same API obfuscation scheme. The C&C configuration can be hardcoded, or stored in a data file and subkeys under the registry key HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security. Some variant A samples uses subkey a57890bc-ca23-3453-a23c-d385e9058fdf Some variant C samples uses subkey 821d1af-7a08-4b06-81cd-869365cdf713
The network API declaration function of a Destover “Volgmer” and a Destover “e4004c1f” backdoor.
Page 1 and 2: FROM SEOUL TO SONY: THE HISTORY OF
Page 3 and 4: INTRODUCTION Much has been written
Page 5 and 6: MALWARE ARCHEOLOGY As research into
Page 7 and 8: THE KORDLLBOT BACKDOOR FAMILY KorDl
Page 9 and 10: THE MicrosoftCodeSigningPCA CERTIFI
Page 11 and 12: KORDLLBOT-RELATED SMB WORMS The mal
Page 13 and 14: THE DOZER (AKA 7.7 DDOS) ATTACK The
Page 15 and 16: THE JOONGANG ILBO ATTACK In 2012, t
Page 17 and 18: THE KORHIGH MALWARE The Korhigh mal
Page 19 and 20: File timestamp matching function co
Page 21 and 22: NOV 2014: SONY ATTACK DESTOVER BACK
Page 23 and 24: THE KIMSUKY SYSTEM The Kimsuky malw
Page 25 and 26: WORKS CITED 1. FBI. FBI Liaison Ale
Page 27 and 28: APPENDIX: TECHNICAL DETAILS Note: D
Page 29 and 30: JOANAP.B WORM, OCT 2009 This malwar
Page 31 and 32: JOANAP.C BACKDOOR, JUL 2010 The ins
Page 33 and 34: JOANAP.E WORM, AUG-SEP 2011 Joanap.
Page 35 and 36: THE DESTOVER FAMILY DESTOVER “B07
Page 37 and 38: DESTOVER “WINDOWSUPDATETRACING”
Page 39 and 40: Since we know the XOR key used, we
Page 41 and 42: DESTOVER “B8AC0905” BACKDOOR, M
Page 43: DESTOVER “DUUZER” BACKDOORS, MA
Page 48 and 49: DESTOVER “BASICHWP” BACKDOOR, S
Page 50 and 51: DESTOVER “VOLGMER2” BACKDOOR, J
Page 52 and 53: APPENDIX: ALGORITHMS AND OTHER INDI
Page 54 and 55: XOR-XX-SUB-XX obfuscation This is a
Page 56 and 57: DB-SUB API Obfuscation This is a fo
Page 58 and 59: Intbox encoding This encoding is us
Page 60 and 61: KorDllbot / Joanap AES keys “Bb10
Page 62 and 63: Destover “Volgmer2” SSL remote
Page 64 and 65: 3d2a7ea04d2247b49e2dcad63a179ae6a47
Page 66 and 67: 6d5d706f5356e087f5961ba2ed808c51876
Page 68 and 69: APPENDIX: MALWARE HASHES KorDllbot-
Page 70 and 71: Destover “b076e058” samples Dro
Page 72 and 73: Destover “Duuzer” samples X86 s
Page 74 and 75: APPENDIX: C&C DATA Joanap-related C
Page 76 and 77: Destover “Duuzer” C&C IP addres
Page 78: ule DarkSeoul_Obf_Caracachs : Backd

THE HISTORY OF THE DARKSEOUL GROUP AND THE SONY INTRUSION MALWARE DESTOVER

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?