North Korean News Agency Website Serves File Infector

We were recently alerted to reports claiming that the website North Korea’s official news service, www.kcna.kp, had been delivering malware via embedded malicious code. One of the photo spreads on the website was found to contain malware that launched a watering hole attack on individuals who came to visit the website and its other pages.

Below is an infection diagram for the malware associated with this attack.

Figure 1. Infection diagram

The mother file in this attack is detected as PE_WINDEX.A-O. As seen in the diagram above, the executable file mscaps.exe drops wtime32.dll, which contains the infection code and backdoor routine. Another executable file mscaps.exe injects code to explorer.exe to stay memory resident. As such, every time the affected system reboots, the malware runs on the system and begins its infection routine.

Explorer.exe executes the infection code and targets .EXE files in drive types that are removable or shared, with drive letters traversed from A-Z. We observed that it skips fixed drives. Apart from explorer.exe, this file infector looks for the following processes where it injects its malicious code:

iexplore.exe
ieuser.exe
firefox.exe
chrome.exe
msimn.exe
msnmsgr.exe
outlook.exe
winmail.exe
yahoomessenger.exe
ftp.exe

The website contains an infected .ZIP file named FlashPlayer.zip. Our initial analysis shows that the outdated Flash Player installer drops the main file infector WdExt.exe, which we detect as PE_WINDEX.A-O. It copies and renames the file Ws2_32.dll, which is the file for the Windows Sockets API used by most network applications to handle network connections. PE_WINDEX.A-O also creates the file SP{random}.tmp, which contains system information that may be responsible for the malware’s information theft routines. It gathers data such as date and time, computer name, user name, OS information, MAC address, and more.

This file drops six DLL components and two executable files, after which PE_WINDEX.A-O also starts infecting .EXE files in other drives.

Figure 2. SP33.tmp

The embedded malicious code runs on any browser, including several versions of Internet Explorer Mozilla Firefox versions 10.0.9 and 36.0, Safari versions 7.0.3 and 4.0, Opera version 9.00 and 12.14, and Google Chrome 41.0.2228.0. The browsers we tested all displayed the code snippet that includes /download/FlashPlayer10.zip.

Based on replicating the attack with an infected sample (calc.exe), we noticed that the file size is almost the same size as the mother file infector, PE_WINDEX.A-O.

Additional analysis also shows that PE_WINDEX.A-O has developer metadata that lists its copyright as © Microsoft Corporation. All rights reserved with its publisher is listed as Microsoft Corporation. Its description and comments contain the text Windows Defender Extension, among other listed information. This may be a disguise for the malware so that users won’t be suspicious about the file.

Date from the Smart Protection Network

According to feedback from the Trend Micro™ Smart Protection Network™ of the file infectors .DLL components primarily hit users in South Korea. We noted a hike in infections last November 2014. The mother file infector, PE_WINDEX.A-O has had a steady growth in infections since October 2014 up to December 2014.

Related hashes: