FireEye Claims that Sanny Malware Hitting Russian Bodies Traced Back to Korea

The latest-targeted attack towards Russian entities that derived personal information has been caught in malware landscape. Named "Sanny", it seems to be arriving from Korea, according to FireEye.

FireEye malware Intelligence Lab, Sanny is hitting Russian Space Research, Information, Education and Telecom and grabbing different types of passwords from the victim's machine along with the credentials that is stored by Firefox for various online services including social networking sites like Hotmail and Facebook. It also profiles the targeted victims, gathering information about the location, region, and other equivalent details.

The particular attack is a standard exploit vector initiated by a malicious Word document. However, the researchers explained that it is almost true about these attacks that there is a common aspect in these attacks, which triggers the cyber crooks in deriving all information from the victims.

On the contrary, the victimized thinking it to be a genuine mail sustains any help from the computer help desk. More precisely, the genuine looking clean and clear mail is wrapped very tactfully inside a malicious document and is discovered only after the spam is succeeded.

In the words of Fire Eye's malware Intelligence Lab researchers, Alex Lanstein and Ali Islam, the attacks are approaching as rigged Cyrillic word file, as reported by threatpost.com on December 11, 2012.

That malicious file seems fresh but actually drops other executable, with a pair of .DDL files when the spam is discovered.

FireEye supposed that Korea is involved in the operation for many reasons. For one, the SMTP mail and the command and control servers used by malware are found in Korea. Also, the fonts from the baits document are Batang and KP CheongPong, which are Korean. Noticeable factor is that the attacker prefers Korean message board as CnC displays that either he/she is a person belonging to Korea or familiar with Korean language.

Another doubt that is favoring Korean is that the number of search on "jbaksanny" (the Yahoo email used) directs to a Korean Wikipedia page made by the user named Jbaksan. The page is auto-filled and has no information in the edit history besides the creation of this user, concluded by FireEye.

Related article: Free Web Host Services: spammer’s bull’s eye

» SPAMfighter News - 12/22/2012