Chinese-Speaking Hackers Target South Korea
CREDIT: Malware image via Shutterstock
Israel-based security research company Seculert has discovered a new type of malware that appears to originate from China.
"We discovered several different global attacks going backwards four years," said Seculert CEO Aviv Raff.
These attacks were all accomplished with a type of malware that Seculert has named "PinkStats." This malicious software works by masquerading as a Web-analytics program — hence the "stats" in the name; the "pink" part comes from the color of the user interface for this fake analytics component.
Once it's on a computer, PinkStats sends a call to the cybercriminals, who run it via something called a command-and-control server. Through that link, the attackers can download even more malware onto the compromised machine.
[See also: How to Handle a Malware Infection]
Seculert says PinkStats appears to be Chinese in origin because certain parts of its code are written in a Chinese language, as is the fake user interface.
That isn't conclusive proof by any means, but it could be significant because experts suspect that China has been involved in several global cyberattacks over the last few years.
Most recently, Moscow-based security company Kaspersky Lab uncovered a cyberespionage campaign called NetTraveler that also appears to be Chinese in origin. What's more, NetTraveler's targets were mostly political in nature — diplomatic, governmental and military institutions — leading experts to believe that the Chinese government might be involved.
Seculert says it has found instances of PinkStats being used as an attack tool as far back as 2009. Most recently, PinkStats was used to infect a series of universities in South Korea.
Seculert located and hacked one of the command-and-control servers used to control PinkStats. By examining the records, the security company found over 1,000 South Korean machines that had become infected. In this instance, PinkStats was used to download two additional types of malware to the compromised computers. Seculert describes the first type of malware, called zxarps, as a "common Chinese attack tool."
The second type of malware is a DDoS malware tool, but it doesn't seem to have been activated yet. Both types of malware masquerade as certified Microsoft software. [See also: Drudge Report Links to Malware-Infected Story]
Raff told TechNewsDaily that PinkStats went undetected for so long because most anti-virus programs focus on preventing malicious programs from gaining access to a computer rather than detecting malware that already may have penetrated its defenses.
You can read Seculert's full blog post here.