SophosLabs has identified the malware used in the major internet attack that hit systems in South Korea earlier today.
Computer networks belonging to South Korean TV broadcasters and at least two major banks in the country have been disrupted by what some have suggested was a malicious internet attack originating in North Korea.
At approximately 2pm local time, computers at the Shinhan and NongHyup banks were brought down – impacting internet banking and ATMs. Similarly, systems at the KBS, MBC, and YTN television stations were reportedly crippled – although broadcasts were not interrupted.
Some media reports have said that computers failed to boot up properly, and displayed an image of three skulls alongside a message claiming that the systems had been “hacked by Whois Team”.
However, in Sophos’s testing so far we have not been able to replicate this payload.
According to a Reuters report, LG U+, the company which provides internet services to at least some of the companies named above, says that it believes its network was hacked.
The malware, detected proactively by Sophos products as Mal/EncPk-ACE, has been dubbed “DarkSeoul” by experts analysing its code at SophosLabs.
What’s curious is that the malware is not particularly sophisticated. Sophos products have been able to detect the malware for nearly a year, and the various commands embedded in the malicious code have not been obfuscated.
For this reason, it’s hard to jump to the immediate conclusion that this was necessarily evidence of a “cyberwarfare” attack coming from North Korea.
Backing up the evidence that the attack was targeted against South Korean computers, Sophos experts have determined that “DarkSeoul” attempts to disable two popular anti-virus products developed in the country: AhnLab and Hauri AV.
Who are the “Whois Team”? No-one is sure. And as yet no strong evidence has emerged that whoever was behind this attack is based in, or has backing from, North Korea.
What we do know is that there have long been claims that North Korea is operating a cyberwarfare unit (presumably being countered by the one alleged to exist in South Korea), and in 2008 it was reported that South Korea’s military command and control centre were the target of a spyware attack from North Korea’s electronic warfare division.
The sexy female seductress at the centre of that case, who was accused of seducing army officers in exchange for military secrets, was subsequently jailed for five years.
In 2009, a massive DDoS attack crippled 26 South Korean and foreign governmental websites, including military sites.
Both countries recognise how the internet can be harnessed for the purpose of spying and military advantage.
To help other security researchers here are some checksums of samples we have seen of this malware:
Thanks to Paul Baccas of SophosLabs for his assistance with this article.
8 comments on “DarkSeoul: SophosLabs identifies malware used in South Korean internet attack”
> Who are the "Whois Team"?
Are there no clues to be had from the website address in the picture? (Between the "who is 'whois'" line and the "warning" line.)
It's hard to make out the URL in the screen-shot. I'm not sure whether it's been censored, or it's just a poor quality image. I can definitely make out a ".com" at the end, and a "who" slightly before it.
It's just "@whois.com," with one of with one of six possible "addresses" in front of it.
Look at that vid.
it's the screen (at least they say it is) with moving picture n text.
You can see multiple e-mailadresses, but no website.
With little luck these adresses might be used more on 'certain' forums ?
You said: "Some media reports have said that computers failed to boot up properly, and displayed an image of three skulls alongside a message claiming that the systems had been "hacked by Whois Team."
Correct me if I'm wrong, but the "Whois" team attack appears to be separate from the "malware" attack. As we understood it, the "Whois" skulls appeared as a site defacement on LG U+ not when people booted their systems.
Yes, that looks like it’s correct. We’ve found no reference to Whois or the Skulls message in the malware itself.
Some of the early media reports combined the skulls message with the malware itself. Hopefully our article made clear that we hadn’t been able to prove that the malware did that.
Use spell check!
Forgive me – what have i misspoolked?
Having played around with the image in GIMP, as far as I can make out, that address reads WICKEnm4St3r..whois.com. There appears to be a character before ‘whois.com’ that I can’t make out. It doesn’t seem to have the roundness of an ‘@’ but its just too distorted to tell.