Chinese malware attack affected dozens of South Korean organizations, researchers say
Over 1,000 computers were recently infected with a piece of malware used by Chinese-speaking hackers, researchers from Seculert said
IDG News Service - A recent targeted attack that used Chinese malware compromised over 1,000 computers belonging to dozens of South Korea organizations, according to researchers from Israeli security firm Seculert.
The main malware tool used in the attack is called PinkStats and has been used by several Chinese-language groups to target different organizations and nation states from around the world during the past four years, the Seculert researchers said Tuesday in a blog post.
PinkStats is designed to download and install additional malicious components after it infects a computer and then report successful installations to its command and control server.
In the South Korean attacks, the malware installed a common Chinese attack tool called "zxarps" that acts as a worm on the local network, the Seculert researchers said.
The "zxarps" tool uses a technique called ARP poisoning to intercept Web sessions from other computers on the network and inject a malicious ActiveX component into them. If executed, the ActiveX control installs the PinkStats malware.
The malicious component was signed with a valid digital certificate issued by certificate authority Thawte to what is likely a fake company with a South Korean name, the researchers said.
A second component installed by PinkStats is a malware tool used to launch DDoS (distributed denial-of-service) attacks. The component masquerades as software developed by South Korean antivirus vendor AhnLab.
The attackers don't seem to have sent any specific instructions to the DDoS malware yet, the Seculert researchers said. However, it is reasonable to assume that this could change at any time, they said.
Data obtained by Seculert researchers from a PinkStats administration panel suggests that over 1,000 computers in South Korea were infected in the recent attack. Many of those machines belong to universities and other educational institutions.
Earlier this year, attackers used malware to cripple the computer networks of several South Korean banks and TV broadcasters. While many in South Korea blamed North Korean hackers for the attack, some security researchers said the malware's code is distinctly Chinese.
Even though there has been speculation that Chinese-speaking hackers have attacked South Korean organizations before, PinkStats seems to be the first proof of such an attack, the Seculert researchers said.
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Live Webcast How to serve up a Grand Slam with a scalable IT Infrastructure for cloud, big data and advanced analytics Register today to attend this webcast, and see examples of how The U.S. Tennis Association, Wimbledon and U.S. Golf Association are using the...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!