Last week, there was ample coverage on the data breach on SK Comms, one of the popular service providers in South Korea that offers three types of service-social networking and instant-messaging (IM), as well as mobile phones. The breach affected user accounts of Nate portal and Cyworld, both under SK Comms.
Within the same week, we also located a malware that may be related to the particular incident. The said backdoor, which Trend Micro detects as BKDR_SOGU.A (with sha1 hash 1733217aa852957269cd201f6cf53ef314e86897), connects to {BLOCKED}n.duamlive.com, its C&C server. The C&C server communicates with the remote infected machine via HTTP post in order to send and receive commands from a remote malicious user. As of this writing, it is inaccessible.
One notable routine in this backdoor is its capability to access a specific database in the infected machine, and to fetch and collect data from the said database. This routine was being performed using several ODBC API such as SQLAllocHandle, SQLDriverConnect, SQLNumResultCols, SQLFetch, and SQLExecDirect. Figures below show the code disassembly of how the malware uses the said APIs.
 |  |
The database being accessed and the type of information being gathered is defined based on the parameters provided by the remote server. Other backdoor routines (such as enumerating registry values or listing files in a specified directory) might be able to provide such data as well.
So far, nothing in the code suggests that it was created solely and specifically for certain attacks. In fact, it might be used and reused as long as the malware is not detected by the network’s security software. As we stated before, attacks against large corporations do not always require highly sophisticated malware technologies but a combination of ingenious use of other techniques, (exploiting known vulnerabilities, social engineering etc, etc.) that can lead to a successful targeted attack.
The Trend MicroT Smart Protection NetworkT infrastructure detects the backdoor and blocks access to malicious URLs related to this attack.
We are still conducting further investigation on this incident. We will update this blog entry as soon as possible for any relevant developments.
Analysis assistance provided by Paul Kimayong and Kathleen Notario.
Leave a reply
