The forensic data indicates that Dark Seoul is actually just the latest attack to emerge from a malware development project that has been named Operation Troy. The name Troy comes from repeated citations of the ancient city found in the compile path strings of the malware. The primary suspect group in these attacks is the New Romanic Cyber Army Team, which makes significant use of Roman terms in their code. The McAfee Labs investigation into the Dark Seoul incident uncovered a long-term domestic spying operation, based on the same code base, against South Korean targets.
Software developers (both legitimate and criminal) tend to leave fingerprints and sometimes even footprints in their code. Forensic researchers can use these prints to identify where and when the code was developed. It’s rare that a researcher can trace a product back to individual developers (unless they’re unusually careless).
But frequently these artifacts can be used to determine the original source and development legacy of a new “product.” Sometimes, as in the case of the New Romanic Cyber Army Team or the Poetry Group, the developers insert such fingerprints on purpose to establish “ownership” of a new threat. McAfee Labs uses sophisticated code analysis and forensic techniques to identify the sources of new threats because such analysis frequently sheds light on how to best mitigate an attack or predicts how the threat might evolve in the future.
History of Troy
The history of Operation Troy starts in 2010, with the appearance of the NSTAR Trojan. Since the appearance of NSTAR seven known variants have been identified. (See following diagram.) Despite the rather rapid release cycle, the core functionality of Operation Troy has not evolved much. In fact, the main differences between NSTAR, Chang/Eagle, and HTTP Troy had more to do with programming technique than functionality.
The first real functional improvements appeared in the Concealment Troy release, in early 2013. Concealment Troy changed the control architecture and did a better job of concealing its presence from standard security techniques. The 3RAT client was the first version of Troy to inject itself into Internet Explorer, and Dark Seoul added the disk-wiper functionality that disrupted financial services and media companies in South Korea. Dark Seoul was also the first Troy attack to conduct international espionage; all previous versions were simple domestic cybercrime/cyberespionage weapons.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.