Dissecting operation Troy: Cyberespionage in South Korea
by Ryan Sherstobitoff and Itai Liba, McAfee Labs, and James Walter, Office of the CTO - Monday, 8 July 2013.
When reports of the Dark Seoul attack on South Korean financial services and media firms emerged in the wake of the attack on March 20, 2013, most of the focus was on the Master Boot Record (MBR) wiping functionality. PCs infected by the attack had all of the data on their hard drives erased. McAfee Labs, however, has discovered that the Dark Seoul attack includes a broad range of technology and tactics beyond the MBR functionality.

The forensic data indicates that Dark Seoul is actually just the latest attack to emerge from a malware development project that has been named Operation Troy. The name Troy comes from repeated citations of the ancient city found in the compile path strings of the malware. The primary suspect group in these attacks is the New Romanic Cyber Army Team, which makes significant use of Roman terms in their code. The McAfee Labs investigation into the Dark Seoul incident uncovered a long-term domestic spying operation, based on the same code base, against South Korean targets.

Software developers (both legitimate and criminal) tend to leave fingerprints and sometimes even footprints in their code. Forensic researchers can use these prints to identify where and when the code was developed. It’s rare that a researcher can trace a product back to individual developers (unless they’re unusually careless).

But frequently these artifacts can be used to determine the original source and development legacy of a new “product.” Sometimes, as in the case of the New Romanic Cyber Army Team or the Poetry Group, the developers insert such fingerprints on purpose to establish “ownership” of a new threat. McAfee Labs uses sophisticated code analysis and forensic techniques to identify the sources of new threats because such analysis frequently sheds light on how to best mitigate an attack or predicts how the threat might evolve in the future.

History of Troy

The history of Operation Troy starts in 2010, with the appearance of the NSTAR Trojan. Since the appearance of NSTAR seven known variants have been identified. (See following diagram.) Despite the rather rapid release cycle, the core functionality of Operation Troy has not evolved much. In fact, the main differences between NSTAR, Chang/Eagle, and HTTP Troy had more to do with programming technique than functionality.

The first real functional improvements appeared in the Concealment Troy release, in early 2013. Concealment Troy changed the control architecture and did a better job of concealing its presence from standard security techniques. The 3RAT client was the first version of Troy to inject itself into Internet Explorer, and Dark Seoul added the disk-wiper functionality that disrupted financial services and media companies in South Korea. Dark Seoul was also the first Troy attack to conduct international espionage; all previous versions were simple domestic cybercrime/cyberespionage weapons.



Fingerprints

As interesting as the legacy of Operation Troy is, even more enlightening are the fingerprints and footprints that allow McAfee Labs to trace its legacy. In the “fingerprint” category is what developers term the compile path. This is simply the path through the developer’s computer file directory to the location at which the source code is stored.

An early Troy variant in 2010, related to NSTAR and HTTP Troy via reused components, used this compile path.

D:\VMware\eaglexp(Backup)\eaglexp\vmshare\

Work\BsDll-up\Release\BsDll.pdb

A second variant from 2010, compiled May 27, also contained a very similar compile path. We were able to obtain some traffic with the control server.

D:\\Chang\\vmshare\\Work\\BsDll-up\\Release\\BsDll.pdb

Spotlight

Infographic: 25 years of the firewall

Posted on 24 July 2014.  |  The firewall turned 25, and McAfee is celebrating with an infographic that creatively depicts its lifetime. If you take a moment to scan the infographic, you’ll notice the firewall's introduction and evolution coincide with certain security events.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Jul 25th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //