{"id":1389,"date":"2015-01-05T01:30:25","date_gmt":"2015-01-04T23:30:25","guid":{"rendered":"http:\/\/sseblog.ec-spride.de\/?p=1389"},"modified":"2015-01-05T01:30:25","modified_gmt":"2015-01-04T23:30:25","slug":"korea-threat-compain-2014","status":"publish","type":"post","link":"https:\/\/blogs.uni-paderborn.de\/sse\/2015\/01\/05\/korea-threat-compain-2014\/","title":{"rendered":"SSE Group together with McAfee Research Lab has identified a new threat campaign currently underway in South Korea"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_1389 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_1389')){$('.twoclick_social_bookmarks_post_1389').socialSharePrivacy({\"txt_help\":\"Wenn Sie diese Felder durch einen Klick aktivieren, werden Informationen an Facebook, Twitter, Flattr, Xing, t3n, LinkedIn, Pinterest oder Google eventuell ins Ausland \\u00fcbertragen und unter Umst\\u00e4nden auch dort gespeichert. N\\u00e4heres erfahren Sie durch einen Klick auf das <em>i<\\\/em>.\",\"settings_perma\":\"Dauerhaft aktivieren und Daten\\u00fcber-tragung zustimmen:\",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/blogs.uni-paderborn.de\\\/sse\\\/2015\\\/01\\\/05\\\/korea-threat-compain-2014\\\/\",\"post_id\":1389,\"post_title_referrer_track\":\"SSE+Group+together+with+McAfee+Research+Lab+has+identified+a+new+threat+campaign+currently+underway+in+South+Korea\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>With the help of our new <a title=\"CodeInspect says \u201cHello World\u201d: A new Reverse-Engineering Tool for Android and Java Bytecode\" href=\"http:\/\/sseblog.ec-spride.de\/2014\/12\/codeinspect\/\">CodeInspect<\/a> tool, we &#8211; together with the McAfee Research Lab &#8211; have identified a new\u00a0threat campaign currently underway in South Korea;<br \/>\nattempting to exploit the huge media frenzy surrounding the release of the movie \u2018The Interview\u2019.<!--more--><\/p>\n<p>Shortly after the news broke that <em>The Interview,<\/em> originally scheduled to be released on Christmas Day, would appear online from Sony Pictures, numerous sites claimed to offer a pirated copy\u2013fueled by the rumors that the movie might be distributed free online due to the circumstances surrounding the film\u2019s change in distribution. One claim making the rounds in South Korea turned out to be an Android Trojan we have designed Android\/BadAccents (named after the main component in the first stage of the Trojan).<\/p>\n<p><a href=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2015\/01\/Image_1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"\" src=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2015\/01\/Image_1.jpg\" alt=\"Image_1\" width=\"546\" height=\"492\" \/><\/a><\/p>\n<p>Android\/BadAccent claims to download a copy of\u00a0 <em>The Interview<\/em> but instead is the first-stage downloader of a two-stage banking Trojan. The second-stage component, which was distributed using Amazon Web Services, targets account holders of prominent local banks in South Korea as well as one international bank.<\/p>\n<p>One element of the threat\u2019s code caught our attention: the presence of a detection routine that checked the device manufacture before infecting the device. We had at first overlooked this because we had not heard of the manufactures Samjiyon or Arirang; we later found they are not located in South Korea. If the device manufacture was set to either\u00a0 \uc0bc\uc9c0\uc5f0 (Samjiyon) or\u00a0 \uc544\ub9ac\ub791 (Arirang ), then the threat would not infect the device and instead prompt the user with a message that an attempt to connect to the server had failed, as we see in the following image.<\/p>\n<p><a href=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2015\/01\/Image_2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignright  wp-image-1418\" src=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2015\/01\/Image_2-168x300.png\" alt=\"Image_2\" width=\"269\" height=\"472\" \/><\/a><\/p>\n<p>When installing on any other brand of device, the infection is completed immediately following the download and execution of the second-stage payload.<\/p>\n<p>Currently we don\u2019t believe that this is a politically motivated threat\u2013limiting the infection to devices sold only in South Korea\u2013but purely a business strategy. Because the malicious payload targets account holders in South Korea, why waste bandwidth on an audience outside of the country?<\/p>\n<p><a href=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2015\/01\/Image_3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft  wp-image-1419\" src=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2015\/01\/Image_3-168x300.png\" alt=\"Image_3\" width=\"268\" height=\"465\" \/><\/a><br \/>\nUsing the new specialized tool <a href=\"http:\/\/sseblog.ec-spride.de\/2014\/12\/codeinspect\/\">CodeInspect<\/a> developed by the Secure Software Engineering Group at CASED, the\u00a0joint IT-security research center between Technische Universit\u00e4t Darmstadt and Fraunhofer SIT, we were able to decrypt the account information that was used by the malware\u2019s authors to relay information to a mail account hosted outside of South Korea.<\/p>\n<p>Despite the fact that this campaign appeared to be relatively new when we discovered it, the number of infected devices that relayed data was about 20,000. Because accounts related to this threat are hosted outside of South Korean, authorities cannot easily dismantle the campaign and prevent further infections. This tactic has become very popular with threats targeting mobile devices in Korea.<\/p>\n<p>Our investigation of the second-stage component indicates that the malware\u2019s components as well the Amazon Web Security services may have been used in previous campaigns targeting banks in South Korea as early as October. McAfee has notified Amazon Web Security and the Korea Internet &amp; Security Agency of our findings. We are working with them to stop the distribution and\u00a0prevent further infections of this campaign.<\/p>\n<p>The post <a href=\"http:\/\/blogs.mcafee.com\/mcafee-labs\/fake-the-interview-app-delivers-mobile-malware-in-south-korea\" rel=\"nofollow\">Fake \u201cThe Interview\u201d App Delivers Mobile Malware in South Korea<\/a> appeared first on <a href=\"http:\/\/blogs.mcafee.com\/\" rel=\"nofollow\">McAfee<\/a>.<\/p>\n<p>Very soon, in a second post on this topic, we will take a deep technical dive into the code and tactics used in this campaign.<\/p>\n<p>&nbsp;<\/p>\n<p><em>Also other media have reported about it:<\/em><\/p>\n<ul>\n<li><a href=\"http:\/\/blogs.mcafee.com\/mcafee-labs\/fake-the-interview-app-delivers-mobile-malware-in-south-korea\">McAfee Research Lab<\/a><\/li>\n<li><a href=\"http:\/\/www.heise.de\/newsticker\/meldung\/Nordkorea-Satire-The-Interview-Trojaner-tarnt-sich-als-Download-App-2507860.html\">heise.de<\/a><\/li>\n<li><a href=\"http:\/\/grahamcluley.com\/2014\/12\/the-interview-android-app-malware\/\">Graham Cluley<\/a><\/li>\n<li><a href=\"http:\/\/www.mirror.co.uk\/news\/technology-science\/technology\/fake-the-interview-app-steal-4899933\">mirror.co.uk<\/a><\/li>\n<li><a href=\"http:\/\/thehackernews.com\/2014\/12\/movie-the-interview-android.html\">thehackernews.com<\/a><\/li>\n<li><a href=\"http:\/\/www.theregister.co.uk\/2014\/12\/29\/interview_banking_trojan\/\">theregister.co.uk<\/a><\/li>\n<li><a href=\"http:\/\/www.zdnet.de\/88215097\/interview-app-ist-ein-trojaner\/\">ZDNet<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>With the help of our new CodeInspect tool, we &#8211; together with the McAfee Research Lab &#8211; have identified a new\u00a0threat campaign currently underway in South Korea; attempting to exploit the huge media frenzy surrounding the release of the movie &hellip; <a href=\"https:\/\/blogs.uni-paderborn.de\/sse\/2015\/01\/05\/korea-threat-compain-2014\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":6581,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,21,1,51,71],"tags":[],"class_list":["post-1389","post","type-post","status-publish","format-standard","hentry","category-android","category-dynamic-analysis","category-general","category-security-analysis","category-static-analysis"],"_links":{"self":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts\/1389","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/users\/6581"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/comments?post=1389"}],"version-history":[{"count":0,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts\/1389\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/media?parent=1389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/categories?post=1389"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/tags?post=1389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}