The forensic data indicates that Dark Seoul is actually just the latest attack to emerge from a malware development project that has been named Operation Troy. The name Troy comes from repeated citations of the ancient city found in the compile path strings of the malware. The primary suspect group in these attacks is the New Romanic Cyber Army Team, which makes significant use of Roman terms in their code. The McAfee Labs investigation into the Dark Seoul incident uncovered a long-term domestic spying operation, based on the same code base, against South Korean targets.
Software developers (both legitimate and criminal) tend to leave fingerprints and sometimes even footprints in their code. Forensic researchers can use these prints to identify where and when the code was developed. It’s rare that a researcher can trace a product back to individual developers (unless they’re unusually careless).
But frequently these artifacts can be used to determine the original source and development legacy of a new “product.” Sometimes, as in the case of the New Romanic Cyber Army Team or the Poetry Group, the developers insert such fingerprints on purpose to establish “ownership” of a new threat. McAfee Labs uses sophisticated code analysis and forensic techniques to identify the sources of new threats because such analysis frequently sheds light on how to best mitigate an attack or predicts how the threat might evolve in the future.
History of Troy
The history of Operation Troy starts in 2010, with the appearance of the NSTAR Trojan. Since the appearance of NSTAR seven known variants have been identified. (See following diagram.) Despite the rather rapid release cycle, the core functionality of Operation Troy has not evolved much. In fact, the main differences between NSTAR, Chang/Eagle, and HTTP Troy had more to do with programming technique than functionality.
The first real functional improvements appeared in the Concealment Troy release, in early 2013. Concealment Troy changed the control architecture and did a better job of concealing its presence from standard security techniques. The 3RAT client was the first version of Troy to inject itself into Internet Explorer, and Dark Seoul added the disk-wiper functionality that disrupted financial services and media companies in South Korea. Dark Seoul was also the first Troy attack to conduct international espionage; all previous versions were simple domestic cybercrime/cyberespionage weapons.
As interesting as the legacy of Operation Troy is, even more enlightening are the fingerprints and footprints that allow McAfee Labs to trace its legacy. In the “fingerprint” category is what developers term the compile path. This is simply the path through the developer’s computer file directory to the location at which the source code is stored.
An early Troy variant in 2010, related to NSTAR and HTTP Troy via reused components, used this compile path.
A second variant from 2010, compiled May 27, also contained a very similar compile path. We were able to obtain some traffic with the control server.