Backdoor.Destover, the destructive malware that was the subject of an FBI Flash Warning this week, shares several links to earlier attacks directed at targets in South Korea. Some samples of Destover report to a command-and-control (C&C) server that was also used by a version of Trojan.Volgmer crafted to attack South Korean targets. The shared C&C indicates that the same group may be behind both attacks.
Volgmer is a targeted piece of malware, likely used by a single group, which has been used in limited attacks, possibly as a first stage reconnaissance tool. It can be used to gather system information and download further files for execution. Significantly, the version of Volgmer which shares a C&C with Destover was configured specifically to attack South Korean targets and will only run on Korean computers.
Destover also share some techniques and component names with the Jokra attacks against South Korea in 2013. However there is no hard evidence as yet to link the attacks and a copycat operation can’t be ruled out. Links also exist to the Shamoon Attacks, with both attackers using the same, commercially available drivers. However, in this instance it appears highly unlikely that the same group was behind both attacks and instead it would appear that the Destover attacks copied techniques from Shamoon.
Destover in action
Destover is a particularly damaging form of malware that is capable of completely wiping an infected computer. It was the subject of an FBI Flash Warning earlier this week after at least one variant of it was understood to have been used in a high profile attack.
There are several malicious files associated with the FBI Destover report:
Diskpartmg16.exe is the first file that is created on an infected computer and, when executed, it creates the files net_ver.dat and igfxtrayex.exe.
When “diskpartmg16.exe” is run, it connects to a number of specific IP addresses within a set IP range, as well as computer names in the format “USSDIX[Machine Name]”. This indicates that this variant of Destover was not intended to be indiscriminate and the malware had instead been configured to only attack computers belonging to one particular organization.
The destructive payload of Destover is carried by igfxtrayex.exe. In certain instances, when run, it will:
- Delete all files on fixed and remote drives
- Modify the partition table
- Install an additional module(iissvr.exe)
- Connect to a number of IP addresses on ports 8080 and 8000.
Iissvr.exe, meanwhile, is a backdoor which listens on port 80. Once an attacker communicates with the compromised computer, this file displays a message, which reads:
“We’ve already warned you, and this is just a beginning.
We continue till our request be met.
We’ve obtained all your internal data including your secrets and top secrets.
If you don’t obey us, we’ll release data shown below to the world.
Determine what will you do till November the 24th, 11:00 PM(GMT).
Post an email address and the following sentence on your twitter and facebook, and we’ll contact the email address.
Thanks a lot to God’sApstls [sic] contributing your great effort to peace of the world.
And even if you just try to seek out who we are, all of your data will be released at once.”
Links to Volgmer
Some samples of Destover seen by Symantec link to a C&C server that has been used by variants of Trojan.Volgmer in the past. Symantec has been tracking Trojan.Volgmer for several months. Volgmer is a threat capable of opening a back door on an infected computer, which allows the malware to communicate with a C&C server to retrieve system information, execute commands, upload files, and download files for execution.
Interestingly, the variants of Volgmer that share a C&C server with Destover are configured to end execution if the compromised computer’s region is not “Korea”.
Links to Jokra
The Destover attackers use techniques and components, such as file names, that are similar to those used in the Jokra attacks against South Korea in 2013. These attacks crippled servers belonging to several South Korean banks and broadcasting organizations and also defaced the website of a Korean telecoms firm.
The malware used in the Jokra attacks contained code that did not begin wiping the hard drive until a set time period expired. Destover is also configured to perform a delayed wipe. Furthermore, media outlets in South Korea have reported that a number of similar file names were used in both attacks (Korean language link).
Similarities to Shamoon attacks
Destover also share some commonalities with the Shamoon Attacks. Both Destover and the malware used by the Shamoon attackers (W32.Disttrack) share some drivers. These are not malicious files and are commercially available drivers. While both Destover and Disttrack are destructive forms of malware, there is no evidence to suggest that the same group is behind both attacks.
Symantec and Norton products detect this threat as Backdoor.Destover.