Chinese cyber-security company Qihoo 360 has discovered a hacker group “OnionDog” that has been targeting and stealing information from energy, transportation, and other infrastructure industries in South Korea since October 2013. Security researchers found 96 groups of malicious code and 14 command and control domain names and IP related to OnionDog. The main reason OnionDog was able to stay undetected for so long was because the malware being used was programmed to self-delete, with an average life of only 15 days and the longest life of 29 days.
Most of OnionDog’s earlier attacks came from spear phishing emails which contained the hidden malicious code, but later in 2015 the hacker group changed tactics and began exploiting software vulnerabilities in the Hangul editor to install and download their malware automatically. The origin of the OnionDog group is unknown, but clues point to operations in North Korea, similar to the the Lazarus group suspected of carrying out the infamous Sony hack.
References: Korean Energy and Transportation Industries attacked by OnionDog APT | Korean Energy and Transportation Targets Attacked by OnionDog APT | 360 Report Exposes Hacker Group OnionDog Preying On Energy and Transportation Industries in Korean-Language Countries
Researchers are wary that this is the start of a new trend of using expired “media” related domains to provide legitimacy to malicious code. Trustwave notified two ad networks about the malvertising taking place, Adnxs and Taggify, although Taggify has yet to respond.
References: Trustwave identifies whopping big new Angler campaign | Angler malvertising campaign hooks visitors to big-name websites | Top websites served out malicious ads harboring the Angler exploit kit
*IP addresses provided by Recorded Future.
Want to learn about Alert Logic products in more detail? Call us direct at +1.877.484.8383, for the UK call +44 (0) 203 011 5533, or complete this form. An Alert Logic representative will contact you soon.