Researchers have identified a malware downloader they say is the first conclusive evidence that Chinese speaking attackers were targeting South Korea.
Earlier this year, it was speculated that data-wiping malware, dubbed Jokra, which crippled critical businesses, including broadcast companies and banks throughout South Korea in March, was the work of Chinese hackers.
The PinkStats downloader masquerades as legitimate web statistics software. It was used in China-based attacks over the last two months which infected more than 1000 machines belonging to universities and other educational institutions in South Korea.
The malware displays an admin panel that looks similar to a panel used by most web analytics tools, Seculert chief technology officer Aviv Raff said.
He said this campaign showcases the “first real proof that Chinese-speaking adversaries are indeed targeting South Koreans."
PinkStats unleashed among other tools the zxarps worm which performs address resolution protocol (ARP) poisoning in which an attacker changes the Media Access Control (MAC) address of a victim to intercept communications between the infected computer and another machine in the local area network.
The worm also injects an IFRAME tag into active web sessions on new victims' machines, spreading PinkStats to others in the local network, Raff said.
Zxarps was disguised as an install of ActiveX software which triggered a warning sign stating the file is signed by Thawte, a certificate authority based in South Africa, but issued to a fake company called “Liaocheng YuanEr Technology Co.”
PinkStats' second malware component is a distributed denial-of-service (DDoS) tool, which disguises itself as fake V3Light Framework software owned by South Korean anti-virus company AhnLab.