Wednesday, April 24, 2013

South Korea Incident - New Malware samples

A few weeks ago, I started to reverse engineer a malicious x64 .dll (see Parts section below, No. 2) to begin to learn x64 (dis)assembly. From analysis it became apparent that the .dll was part of a bigger malware package. After a while searching on the Internet, I found some Droppers which contained similar files to the one I was analyzing. Luckily some of the files of these Droppers contained .pdb debug strings. At the same time there were the "South Korean Cyber Attacks" on banks and broadcasting organizations (see: http://www.symantec.com/connect/blogs/south-korean-banks-and-broadcasting-organizations-suffer-major-damage-cyber-attack and http://www.symantec.com/connect/blogs/are-2011-and-2013-south-korean-cyber-attacks-related). As it turned out, the Droppers I found are from the same attackers like described in the Symantec article. So I did another search on the Internet to find more malware samples which I will now present in this article. For me, it would take a long time to analyze all these samples, so I release them now that other people can also take a look at them.

To make it clear, this Blogpost is just an overview of the various malware samples and no analysis! Therefore all credit goes to the people who provided me the samples: Chae Jong Bin (MD5 hashes), Artem Baranov (samples), Xylitol (samples).

Share: