South Korean Companies Targeted By OnionDog Hacker Group

This week, we hear the latest on South Korean companies targeted by OnionDog Hacker Group and Popular websites affected by ‘malvertisements’ harboring Angler exploit kit.

Breach

South Korean companies targeted by OnionDog Hacker Group

Chinese cyber-security company Qihoo 360 has discovered a hacker group “OnionDog” that has been targeting and stealing information from energy, transportation, and other infrastructure industries in South Korea since October 2013. Security researchers found 96 groups of malicious code and 14 command and control domain names and IP related to OnionDog. The main reason OnionDog was able to stay undetected for so long was because the malware being used was programmed to self-delete, with an average life of only 15 days and the longest life of 29 days.

Most of OnionDog’s earlier attacks came from spear phishing emails which contained the hidden malicious code, but later in 2015 the hacker group changed tactics and began exploiting software vulnerabilities in the Hangul editor to install and download their malware automatically. The origin of the OnionDog group is unknown, but clues point to operations in North Korea, similar to the the Lazarus group suspected of carrying out the infamous Sony hack.

References: Korean Energy and Transportation Industries attacked by OnionDog APT | Korean Energy and Transportation Targets Attacked by OnionDog APT | 360 Report Exposes Hacker Group OnionDog Preying On Energy and Transportation Industries in Korean-Language Countries

Mitigation Strategies:

Malware

Popular websites affected by malvertisements harboring Angler exploit kit

Trustwave and Trend Micro have discovered a new malvertising campaign affecting multiple websites in the Top 1000 sites in the world. The hackers managed to acquire an expired domain from a reputable advertising company which enabled them to provide their exploit kit with “high-quality traffic from popular websites that published their ads directly.” A very complex JavaScript file, containing more than 12,000 lines of code, was used to bait the victims of this campaign, and a large portion of that code was used to filter out security researchers and protected users so as to avoid detection. Once the Angler exploit kit was downloaded, it delivered the BEDEP Trojan and TeslaCrypt ransomware to the victims.

Researchers are wary that this is the start of a new trend of using expired “media” related domains to provide legitimacy to malicious code. Trustwave notified two ad networks about the malvertising taking place, Adnxs and Taggify, although Taggify has yet to respond.

References: Trustwave identifies whopping big new Angler campaign | Angler malvertising campaign hooks visitors to big-name websites | Top websites served out malicious ads harboring the Angler exploit kit

Mitigation Strategies:

Top 20 IP Addresses

113.28.44.14 23.96.240.147
223.234.142.127 91.214.168.232
181.214.92.11 46.109.168.179
188.118.2.26 118.170.130.207
158.69.79.44 81.183.56.217
62.210.107.56 183.3.202.103
93.174.93.94 78.24.216.44
107.6.130.113 158.69.185.20
103.242.190.57 190.106.4.172
123.168.123.28 116.100.158.187

*IP addresses provided by Recorded Future.