Dissecting operation Troy: Cyberespionage in South Korea

When reports of the Dark Seoul attack on South Korean financial services and media firms emerged in the wake of the attack on March 20, 2013, most of the focus was on the Master Boot Record (MBR) wiping functionality. PCs infected by the attack had all of the data on their hard drives erased. McAfee Labs, however, has discovered that the Dark Seoul attack includes a broad range of technology and tactics beyond the MBR functionality.

The forensic data indicates that Dark Seoul is actually just the latest attack to emerge from a malware development project that has been named Operation Troy. The name Troy comes from repeated citations of the ancient city found in the compile path strings of the malware. The primary suspect group in these attacks is the New Romanic Cyber Army Team, which makes significant use of Roman terms in their code. The McAfee Labs investigation into the Dark Seoul incident uncovered a long-term domestic spying operation, based on the same code base, against South Korean targets.

Software developers (both legitimate and criminal) tend to leave fingerprints and sometimes even footprints in their code. Forensic researchers can use these prints to identify where and when the code was developed. It’s rare that a researcher can trace a product back to individual developers (unless they’re unusually careless).

But frequently these artifacts can be used to determine the original source and development legacy of a new “product.” Sometimes, as in the case of the New Romanic Cyber Army Team or the Poetry Group, the developers insert such fingerprints on purpose to establish “ownership” of a new threat. McAfee Labs uses sophisticated code analysis and forensic techniques to identify the sources of new threats because such analysis frequently sheds light on how to best mitigate an attack or predicts how the threat might evolve in the future.

History of Troy
The history of Operation Troy starts in 2010, with the appearance of the NSTAR Trojan. Since the appearance of NSTAR seven known variants have been identified. (See following diagram.) Despite the rather rapid release cycle, the core functionality of Operation Troy has not evolved much. In fact, the main differences between NSTAR, Chang/Eagle, and HTTP Troy had more to do with programming technique than functionality.

The first real functional improvements appeared in the Concealment Troy release, in early 2013. Concealment Troy changed the control architecture and did a better job of concealing its presence from standard security techniques. The 3RAT client was the first version of Troy to inject itself into Internet Explorer, and Dark Seoul added the disk-wiper functionality that disrupted financial services and media companies in South Korea. Dark Seoul was also the first Troy attack to conduct international espionage; all previous versions were simple domestic cybercrime/cyberespionage weapons.

As interesting as the legacy of Operation Troy is, even more enlightening are the fingerprints and footprints that allow McAfee Labs to trace its legacy. In the “fingerprint” category is what developers term the compile path. This is simply the path through the developer’s computer file directory to the location at which the source code is stored.

An early Troy variant in 2010, related to NSTAR and HTTP Troy via reused components, used this compile path.

A second variant from 2010, compiled May 27, also contained a very similar compile path. We were able to obtain some traffic with the control server.

McAfee Labs has consistently seen the Work directory involved, just as throughout the other post-2010 malware used in this campaign. By analyzing attributes such as compile path, McAfee Labs researchers have been able to establish connections between the Troy variants and document functional and design changes programmed into the variants.

Both the Chang and EagleXP variants are based on the same code that created NSTAR and the later Troy variants. The use of the same code also confirms the attackers have been operating for more than three years against South Korean targets.

In the “footprint” category McAfee Labs documented the most significant functional change that occurred, in the 2013 release of the Concealment Troy. Historically, the Operation Troy control process involved routing operating commands through concealed Internet Relay Chat (IRC) servers. The first three Troy variants were managed through a Korean manufacturing website in which the attackers installed an IRC server.

From the attacker’s perspective there are two problems with this approach. The first is that if the owners of infected servers discover the rogue IRC process, they would remove it and the attacker would lose control of the Troy-infected clients. The second is that the Troy developers actually hardcoded the name of the IRC server into each Troy variant. This means that they had to first find a vulnerable server, install an IRC server, and then recompile the Troy source into a new variant controlled by that specific server. For this reason nearly all Troy variants needed to be controlled by a separate control server.

The Concealment Troy variant was the first to break this dependency on a hardcoded IRC control server. Concealment Troy presumably gets its operating instructions from a more sophisticated (and likely more distributed) botnet that is also under the control of the Troy syndicate.

This investigation into the cyberattacks on March 20, 2013, revealed ongoing covert intelligence-gathering operations. McAfee Labs concludes that the attacks on March 20 were not an isolated event strictly tied to the destruction of systems, but the latest in a series of attacks dating to 2010. These operations remained hidden for years and evaded the technical defenses that the targeted organizations had in place. Much of the malware from a technical standpoint is rather old, with the exception of Concealment Troy, which was released early 2013.

A copy of the full report can be found here.