Dissecting operation Troy: Cyberespionage in South Korea
by Ryan Sherstobitoff and Itai Liba, McAfee Labs, and James Walter, Office of the CTO - Monday, 8 July 2013.
McAfee Labs has consistently seen the Work directory involved, just as throughout the other post-2010 malware used in this campaign. By analyzing attributes such as compile path, McAfee Labs researchers have been able to establish connections between the Troy variants and document functional and design changes programmed into the variants.

Both the Chang and EagleXP variants are based on the same code that created NSTAR and the later Troy variants. The use of the same code also confirms the attackers have been operating for more than three years against South Korean targets.


In the “footprint” category McAfee Labs documented the most significant functional change that occurred, in the 2013 release of the Concealment Troy. Historically, the Operation Troy control process involved routing operating commands through concealed Internet Relay Chat (IRC) servers. The first three Troy variants were managed through a Korean manufacturing website in which the attackers installed an IRC server.

From the attacker’s perspective there are two problems with this approach. The first is that if the owners of infected servers discover the rogue IRC process, they would remove it and the attacker would lose control of the Troy-infected clients. The second is that the Troy developers actually hardcoded the name of the IRC server into each Troy variant. This means that they had to first find a vulnerable server, install an IRC server, and then recompile the Troy source into a new variant controlled by that specific server. For this reason nearly all Troy variants needed to be controlled by a separate control server.

The Concealment Troy variant was the first to break this dependency on a hardcoded IRC control server. Concealment Troy presumably gets its operating instructions from a more sophisticated (and likely more distributed) botnet that is also under the control of the Troy syndicate.


This investigation into the cyberattacks on March 20, 2013, revealed ongoing covert intelligence-gathering operations. McAfee Labs concludes that the attacks on March 20 were not an isolated event strictly tied to the destruction of systems, but the latest in a series of attacks dating to 2010. These operations remained hidden for years and evaded the technical defenses that the targeted organizations had in place. Much of the malware from a technical standpoint is rather old, with the exception of Concealment Troy, which was released early 2013.

A copy of the full report can be found here.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th