View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 5, 2014

Sony malware linked to South Korean virus

Destover samples report to same command server as backdoor Volgmer.

By Jimmy Nicholls

Malware involved in the hack against Sony has been linked to earlier attacks in South Korea by the security firm Symantec.

Some Destover samples are reporting to the same command and control (C&C) server used by the trojan Volgmer, which makes the company believe the same group is behind both attacks.

Symantec said: "Volgmer is a targeted piece of malware, likely used by a single group, which has been used in limited attacks, possibly as a first stage reconnaissance tool. It can be used to gather system information and download further files for execution."

"Significantly, the version of Volgmer which shares a C&C with Destover was configured specifically to attack South Korean targets and will only run on Korean computers."

Volgmer is capable of opening backdoors in computers, facilitating communication between the machine and the C&C server to download more malware, remotely execute commands and steal data.

"Interestingly, the variants of Volgmer that share a C&C server with Destover are configured to end execution if the compromised computer’s region is not ‘Korea’," the company added.

Symantec also found that Destover has techniques and component names in common with Jokra, also called DarkSeoul after the group behind it, which hit banks and news groups in South Korea in what is thought to have been a politically motivated attack.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

In addition Destover shares drivers with Shamoon, a piece of malware that a company insider used to attack oil company Saudi Aramco, deleting data on three-quarters of the firm’s computers and posted a picture of a burning US flag.

Kaspersky Lab, another security company, said that the groups behind Destover, Shamoon and Jokra had "operational and toolset characteristics [that] all carry marked similarities", but like Symantec did not conclude they were necessarily the same actors.

"In this instance it appears highly unlikely that the same group was behind both attacks and instead it would appear that the Destover attacks copied techniques from Shamoon," Symantec added.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.