Shortly after 10:00am Jun 25th 2013, many government websites from South Korea were not accessible. It was actually caused by the malware performing ddos attack on 2 major DNS servers (ns.gcc.go.kr and ns2.gcc.go.kr).
Original Attack Vector
During the investigation, we managed to find the original attack sample which was served by a compromised website at that time (simdisk.co.kr).
The downloaded file named SimDisk_setup.exe turned out to be a self-extracting RAR file.
In this SFX RAR file were sitting 2 files:
SimDiskup.exe (created on 2013-06-24) is the malicious file. It downloads other malicious files from a remote website.
For instance it tried to download c.jpg from the website above.
Actually c.jpg is obviously an executable, saved as ~simdisk.exe and run after successfully downloaded.
Upon execution, it will drop 3 files, 2 of them (explorer.exe and config.ini) turning out to be the TOR system version 0.2.3.25. The third file, alg.exe, is yet another downloader.
alg.exe will then use the tor network to download yet another file, which is the final DDoS payload. It will try to connect to the following tor onions (onions are hidden, untraceable websites available only via Tor nodes):
The interesting thing here is, the files mentioned above are all packed with the infamous run-time packer called Themida. But the final payload, downloaded by alg.exe, is not.
First, it will check for a FileMapping Object
Does this remind us of the 3.20 disk wipe-out attack?
After that, it will check for the OS architecture, 32bit or 64bit. In the case of a 32bit OS, it will drop ~DR[random number].tmp file from the resource section. After loading the ~DR tmp file, it will load another DLL file as a service. (It will do the same in 64bit OS).
After the service starts, it will check for the FileMapping Object:
After resolving the API address, it will create a thread to start the communication.
The response data is split in 2 parts:
1.) BM6W -> The only command which is hardcoded in the binary
If the response data is anything other than BM6W, it will sleep, then try again.
2.) - 06 19 0a 00 - 0x06 - Month - 0x19 - Day - 0x0a - hour - 0x00 - minute
Looks like a time-bomb. Does this also remind us the 3.20 disk wipe-out attack?
If the system time has passed 6-25 10:00, it will drop another file which is packed by Themida as well. The filename is seen below:
It will start 2 threads to perform the Ddos attack by querying [random string].gcc.go.kr:
The 2 Ddos targets are hardcoded in the binary.
- Ns.gcc.go.kr - 18.104.22.168
- Ns2.gcc.go.kr - 22.214.171.124
In a nutshell the attack scenario flow can be represented as follows:
simdisk.co.kr → serves SimDisk_setup.exe &#8594; ** extracts to **SimDiskup.exe &#8594; downloads c.jpg &#8594; saved as ~simdisk.exe &#8594; drops alg.exe (plus Tor) → gets time of attack from hidden websites and drops wuauieop.exe &#8594; queries DNS for [random string].gcc.go.kr