Operation Troy – How researchers linked the cyberattacks

by | Oct 28, 2021

 
 
 
 
 
Reading Time: 7 Minutes

 

 

South Korea was the victim of an enormous cyberattack on March 20, 2013. The attack was meant to cause damage and affected multiple organizations like South Korean TV networks and financial institutions by deleting thousands of computer hard drives using wiper-malware.

 

 

A lot of security firms provided insights into the likely source of these attacks and how they happened. The attack was initially known as “Dark Seoul” and now as “Operation Troy”. The name Troy comes from repeated citations of the ancient city found in the compile path strings of the malware code.

The analysis from the McAfee security firm showed that the attacks, in addition to the data losses of the master boot record (MBR), were actually the last part of the attack of a covert espionage campaign coming from North Korea.

 

The adversaries

 

 

Software developers or hackers tend to leave fingerprints and footprints in their code, little pieces of artifacts in the code that can be used by forensic investigators to try and determine the original source of the intended piece of code or program.

Researchers determine that the primary hacking group responsible for the attacks was the New Romanic Cyber Army Team, which significantly uses Roman terms in their code. The majority of wipers contained strings named “principes” and “hastati,” which also appear in a message left on one of the targeted websites in the form of a web pop-up.

The other hacking group was “The Whois Hacking Team”, where they defaced the website of the network provider LG on March 20th. Researchers found that some wiper components worked differently from the wipers employed by the New Romanic team, where it also included the same graphics (in a resource file in the binary) that appeared on the defaced LG website.

 

Operation Troy hack south korea


Message by the Whois Hacking team on a defaced website - credit:
Tracing the Lineage of DarkSeoul - David Martin.

 

 

 

 

Anatomy of the attack

 

What types of malware involved?

A few types of malware were involved in those attacks which had a direct result of the destruction of computer machines using the MBR wiper component and remote access to the targets for a period before the attack.

The dropper Trojan was primarily used to download the executable that destroyed the systems’ MBRs. MBR wiper, upon execution, it was immediately starting to wipe the system and render it unbootable. The dropper installed the wiper, which destroyed the MBRs, when the dropper was executed, the systems were wiped within minutes.

The remote-access Trojan, as McAfee researchers determine that the attackers had access to the systems before wiping them, the remote-access trojan was likely delivered to an internal machine via a successful spear-phishing attack.

 

 

 

They also used an IRC botnet that relied upon a network of hacked South Korean websites where they hosted their IRC servers. The infected machines communicated through the IRC servers and used functions imported from the Microsoft Cryptography API library, bs.dll, where they hardcoded the control domains in it.

NSTAR Trojan was the first in the production of the Troy family, dating back in 2009 when it was created for a phishing espionage campaign. NSTAR used components in the same way that the 7 later variants of the Troy family did, as it included a shared DLL (bs.dll) that was found in the 2010 and 2011 variants.

The next variants that will follow “Chang and EagleXP” 2010, “HTTP Troy” 2011, “Http Dr0pper” 2012,” Tong” 2012, “TDrop” 2013, haven’t had much of change in their core functionality but had more to do with the programming technique.  

The researchers based their results to trace the legacy of the Troy variants on the fingerprints and footprints left from the malicious developers that were examined in the source code of the malware variants.  

The compile paths, a type of fingerprint, that was tracked by the researchers, are the paths through the developer’s computer file directory (work directory) to the location at which the source code is stored, where documented in the report.

 

 

The NSTAR variant used the same DLL as Troy, Chang/EagleXP as we can see below.

The compile path of NSTAR was: E:\Work\BackUp\2011\nstar_1103\BackDoor\BsDllup\Release\BsDll.pdb whileHTTP Troy’s was:
Z:\source\1\HttpTroy\BsDll-up\Release\BsDll.pdb

Http Dr0pper, included the compile path: Z:\\1Mission\\Team_Project\\[2012.6~]\\HTTPTroy\\HttpDr0pper\\Win32\\Release, indicating that it was based on HTTP Troy variant as a more advanced version compiled in 2012.

Many of the variants were disguised as executable files of a security product. Http Dr0per was used to disguise its dropper component with the AhnlabUpdate.exe. Just as Http Dr0per , TDrop which was compiled on January 15, 2013, used the same executable (AhnlabUpdate.exe) to disguise its dropper.
They also shared the same file-mapping function and DLL as well.

 

Http Dr0per code:

Operation Troy hack south korea

 

TDrop code:

 

 

When the main Trojan file (Main.exe) executes, it launches RunCmd.exe, then launches AhnlabUpdate.exe. These files are created in a directory that sits in a temp directory created on the desktop. It was obvious for the researchers that the attackers knew what security software the victims used and attempted to make the malware appear as legitimate as possible.
AhnlabUpdate.exe then dropped and run an additional executable, a RAT payload that established the connection to the control server.

 

 

In early 2013, Concealment Troy Trojan had functional improvements to the first variants. It had better abilities to conceal itself from standard security techniques. The 3RAT client was the first version of troy to inject itself into Internet Explorer.
The wiper functionality was added in combination with the Concealment Trojan in the last attack named “DarkSeoul”, wherein in April 2013, crippled thousands of computers of financial services and media companies in South Korea.

This variant did not employ real-time IRC control as the earlier variants did. It was a typical HTTP botnet that used HTTP as its primary channel of communication. That solved potential problems that may arise with the earlier versions of the malware where the communications went through the installed IRC servers on the hacked South Korean websites.

 

 

The 2 main problems that arise with the previous Troy variants were that at any time, if the owners of the infected servers discovered the IRC process, they might remove it, thus making the attackers lose control of the servers that each Troy variant deployed.

The second problem was that the hackers hardcoded the name of the infected IRC server into each Troy variant source code. So, if the IRC server was compromised, they had to find another vulnerable server, install an IRC server and then recompile a new Troy variant with that specific IRC server.

 

Operation Troy hack south korea

The targeted attack Dark Seoul reached its culmination in March 2013,
but its roots go back at least to 2009, when the Trojan’s source code was first compiled.
Subsequent variations of the malware have also been involved in these threats.

 

 

 

Military Espionage Malware: 2009–2013

 

The researchers also uncovered a sophisticated military spying network that targeted South Korea since 2009.

 First, the attackers would compromise internal systems via a watering-hole attack where they placed a zero-day exploit on a military social networking site and in later cases via spear-phishing attacks on a specific target.

Then the malware performed the necessary recon for interesting documents, scrape out passwords and registry information on the target systems. The attacker would then request directory contents based on the number of interesting files found and then grab the specific files.

At last, the stolen files would then be transmitted via an HTTP-encrypted channel to the attacker’s server.

 

 

Linking the threat actors through technical means.

Researchers also uncovered numerous sub-campaigns and linked all the attacks as a part of the overall Operation Troy which occurred in 2009 through 2013.

  • The Troy family of malware shared the same source code, components that were shared over the years with the other Troy variants.
  • The same zip encryption password found in almost all variants except the Concealment Troy.
  • All variants except Concealment Troy used the same IRC botnet channel and encryption method.
  • The military keywords found in the components from 2009-2013 Troy variants verify the intent of the attackers.
  • The same obfuscation techniques were used through the 2009-10 and 2012-13 campaigns.

 

 

 

Conclusion

Despite MacAfee haven’t pointed to the origin of the attacks, many researchers do not doubt that North Korea sponsored the attacks and point them as the main culprits.

The cybercriminals had attempted from 2009 to 2013, to at first, gather intelligence on South Korean military targets and then install the capability in their malware’s source code to destroy their targets using an MBR wiper component as seen in the last major attack “DarkSeoul”.

After the research of the attacks, the South Korean government said that they will double their cyber-security budget as it was clear that they needed to enhance their nation’s capabilities to protect computer networks and critical infrastructures from the next possible “DarkSeoul”. More than 5000 new trained ethical hackers were added to their cyber-army the year after the attacks.

As we already know Payloads can be designed in a sophisticated manner even more as technology progresses.
These attacks dated back to 2013 are now more dangerous due to the FUDs (Fully Undetectable) malware that can be generated with timed triggering and unique signatures that can still go unnoticed against even the most secure software/hardware measures set in place. Only through special solutions offered by the Offensive Security side can test your systems on how they would withstand such attacks.

Continuously inspecting and improving your cybersecurity strategy should be crucial for every company and government. The red team, that provides the offensive side of cybersecurity should be a major part of the strategy, as it will be always beneficial to test your systems and networks against real attack scenarios instead of building your defense and waiting to be cracked to fix it again.

Share This