Blue Coat Labs

Labs Blog

From Seoul To Sony

From Seoul To Sony

Snorre Fagerland

In the wake of the destructive Sony intrusion in 2014, official sources were fairly quick in attributing the attack to North Korean threat actors. However, there was a lot of scepticism from the security community surrounding this claim.

Our preferred method in cases like these is to not speculate, but follow the data. And some hard data about the malware was available, published in statements from the FBI and US-CERT.

With this information as starting point, we mined available databases for connections to other known malwares and incidents. It turned out that we didn't have to look far. Connections to other historical security incidents involving the Korean peninsula are fairly obvious and plentiful. Over time, other researchers have touched on this - such as similarities with the attack on the Joongang Ilbo newspaper in 2012 and the Korhigh attacks in 2013.



Going back in time, we found one family of backdoors which was involved in several previous incidents. This family did not have a commonly agreed upon name, but some Korean antivirus vendors tended to use the rather nonspecific name Dllbot for this and similar malware families. Thus, we chose the name KorDllbot.





KorDllbots commonly follow a quite regular pattern:

  • Often configured to be loaded as services, with a ServiceMain export
  • API usage almost always obfuscated, with up to several API deobfuscation functions early on in the execution path
  • Usually connecting on raw IP to C&C servers, which usually seem to be hacked computers acting as proxies
  • Several different string obfuscation methods and network traffic encryption methods used between samples and variants
  • Commands to the backdoor following an intereger-based format, where base offset varies between variants.


However, KorDllbots are also suprisingly variable in some respects, such as which method is used for string obfuscation. It seems that the developers have access to a large library of algorithms and code modules that they choose between for every build.

We were able to assume with high confidence that KorDllbots were involved in the Dozer incident in 2009, and the Koredos incident in 2011. The Koredos incident has been - through other indicators - linked to the destructive DarkSeoul attack in 2013.
These attacks were attributed to the threat actors known as DarkSeoul or Silent Chollima.


Above: Network receipt w XOR decoding in KorDllbot vs Dozer malware.


However, KorDllbots share a number of similarities with more modern malware. Notably, a malware family which was identified in the Sony intrusion and was given the name Destover.




Destover seems to be a series of branches from the old KorDllbot projects; somewhat modernized and with somewhat more capabilities. The Destover complex consists of several sub-variants, and each sub-variant has also often changed over time. Some of these variants have received their own names - such as Volgmer and Duuzer - but there are also clear functional variants that have no particular naming. In the full report we will go through many - if not all - of the variants we have seen.

One of the common traits between Destover and KorDllbots is the use of this string obfuscation, which we've named ChopString.

This is just one of a whole series of string obfuscation techniques used in various generations of related malware.




Another malware family involved is known as Joanap. The Joanap series is a mix of things - some variants are pure backdoors, others are pure SMB worms, or, more frequently, composite threats with different, cooperating modules. Joanap worm modules are often associated with another name - Brambul. We have not used that name to any great extent, as there is Brambul malware in existence which does not appear to have an obvious relationship with this complex.

The use of SMB worms has declined over the years, but there appears still to be enough vulnerable hosts to make them somewhat viable. In the case of Joanap worms, they send email notification back to their master, and so the malware author is getting updates as to which machines have been compromised.

Above: Joanap sending email back to its controller





The preferred modus operandi of the DarkSeoul group appears to not use regular rented servers or registered domains. Almost all binaries related to this complex connect via raw IP to their Command&Control servers. I most cases, these seem to be compromised boxes, where one assumes there is a proxy installed. Different binaries usually contains different IP addresses, so it seems that this setup is fed by an easy access to newly hacked computers. It's possible that the worms in use by this group help them maintain this resource.





Based on malware indicators, we can say with fairly high confidence that the Sony intrusion was not a one-off incident. There were other incidents both before and after where the same malware toolsets were used; some of which were destructive. Some of these incidents have historically been attributed to the threat group going by the name DarkSeoul.


The full paper "From Seoul To Sony" is available here:

[Erratum: p18, where it says "Scan for computers that have ports 139 and 443 open" - that should of course read "Scan for computers that have ports 139 and 445 open"]


But wait, there's more!

We are not the only ones who have been studying this group. Some time ago, we got in touch with the folks over at Novetta, who have been researching this malware about as long as we have. They have shared technical indicators with us, and we have shared with them.

Today they are releasing their own research into this, which is available from the Operation BlockBuster pages.