DarkSeoul: SophosLabs identifies malware used in South Korean internet attack

Internet attack hits South Korean banks and broadcasters

Whois teamSophosLabs has identified the malware used in the major internet attack that hit systems in South Korea earlier today.

Computer networks belonging to South Korean TV broadcasters and at least two major banks in the country have been disrupted by what some have suggested was a malicious internet attack originating in North Korea.

At approximately 2pm local time, computers at the Shinhan and NongHyup banks were brought down – impacting internet banking and ATMs. Similarly, systems at the KBS, MBC, and YTN television stations were reportedly crippled – although broadcasts were not interrupted.

Failing to boot

Some media reports have said that computers failed to boot up properly, and displayed an image of three skulls alongside a message claiming that the systems had been “hacked by Whois Team”.

Whois Team message

However, in Sophos’s testing so far we have not been able to replicate this payload.

According to a Reuters report, LG U+, the company which provides internet services to at least some of the companies named above, says that it believes its network was hacked.

The malware, detected proactively by Sophos products as Mal/EncPk-ACE, has been dubbed “DarkSeoul” by experts analysing its code at SophosLabs.

What’s curious is that the malware is not particularly sophisticated. Sophos products have been able to detect the malware for nearly a year, and the various commands embedded in the malicious code have not been obfuscated.

For this reason, it’s hard to jump to the immediate conclusion that this was necessarily evidence of a “cyberwarfare” attack coming from North Korea.

Backing up the evidence that the attack was targeted against South Korean computers, Sophos experts have determined that “DarkSeoul” attempts to disable two popular anti-virus products developed in the country: AhnLab and Hauri AV.

Section of malware code designed to disable Korean anti-virus products
Section of malware code designed to disable Korean anti-virus products

Who are the “Whois Team”? No-one is sure. And as yet no strong evidence has emerged that whoever was behind this attack is based in, or has backing from, North Korea.

What we do know is that there have long been claims that North Korea is operating a cyberwarfare unit (presumably being countered by the one alleged to exist in South Korea), and in 2008 it was reported that South Korea’s military command and control centre were the target of a spyware attack from North Korea’s electronic warfare division.

The sexy female seductress at the centre of that case, who was accused of seducing army officers in exchange for military secrets, was subsequently jailed for five years.

In 2009, a massive DDoS attack crippled 26 South Korean and foreign governmental websites, including military sites.

Both countries recognise how the internet can be harnessed for the purpose of spying and military advantage.

To help other security researchers here are some checksums of samples we have seen of this malware:


Thanks to Paul Baccas of SophosLabs for his assistance with this article.