OnionDog APT has been Attacking Korean Energy and Transportation
In recent times, Helios Teamat 360 SkyEye Labs discovered that OnionDog, a hacker group, are infiltrating as well as stealing information from transportation, energy and other industries of infrastructure in countries of Korean-language with the help of Internet. As per correlation analysis of big data, first activity by OnionDog can be traced back to October 2013, and then it became active only between end of July and beginning of September in the next two years. On an average, the self-set life cycle is 15 days of an attack by Trojan, and it is distinctly objective-oriented and organizational.
In October 2013, the first to have come across this threat was Helios Team of Qihoo. As per the company, the group actually became active in 2014 summer when it struck Korean companies involved in the water supply and energy sectors.
Attacks then happened in 2015 summer also, as Qihoo found new targets being attacked, and some of the attacks were against subways, VTS (Vessel Traffic Systems), port harbors, public transportation and other transportation systems. Softpedia.com posted on March 9th, 2016, stating that the findings are constant with what local authorities of South Korea have reported during the past few months.
OnionDog's mainly attacked in spear phishing emails form. File numbers and icons are used by early Trojan to make a forged HWP file (Hangul's file format). Afterwards, the vulnerability in Hangul upgraded version was used by the Trojan, which puts malicious code in actual HWP file. When the file is opened, the vulnerability starts downloading and then activating the Trojan.
As per Qihoo, 96 different kinds of malware are used by the group; however all of it was programmed to self-delete, with none of the malware variant living above 29 days.
The OnionDog group, as a strategy to infect in the beginning, used many spear phishing campaigns containing Trojan-laced executables, which used the icon of well-known Word processing software of Korea known as Hangul.
Afterwards, in 2015, the group changed its strategy and started leveraging vulnerabilities of software in the Hangul editor to automatically download and install their malware.
Although no one said that the Lazarus group was operating from North Korea, but all clues are pointing towards that conclusion for both Lazarus group and OnionDog.
» SPAMfighter News - 3/16/2016