Reporting and technical details surrounding the malware used in the March 20, 2013, attack on South Korean assets have been varied and inconsistent. US Cert released a paper outlining the attack’s common attributes, giving guidance to U.S. Critical Infrastructure and Key Resource owners and operators, and listings defensive measures against the DarkSeoul malware.
The common attributes of the attack campaign are the following:
- The malicious file wipes the master boot record (MBR) and other files.
- The malware was hard coded with a specific execution date and time and searches machines for credentials with administrative/root access to servers.
- The malware is written to specifically target South Korean victims.
- The attack is effective on multiple operating systems.
- The design is low sophistication – high damage.