Inside TDrop2: Technical Analysis of new Dark Seoul Malware
Contents
Palo Alto Networks recently identified a new campaign targeting the transportation sector in Europe with ties to the Dark Seoul and Operation Troy campaigns that took place in 2013. This new campaign used updated instances of the Tdrop malware family discovered in the Operation Troy campaign. For more information on the new campaign discovered by Unit 42, please refer to our recent blog post.
In this attack, attackers embedded the TDrop2 malware inside a legitimate video software package hosted on the software distributor’s website. By doing this, they were able to target organizations that relied on the distributor’s security camera solution and infect their systems with malware. They created a true Trojan horse, which sneaks into a network as a gift, but when opened, the attacker’s army leaps out.
Trojanized Video Player (Stage 1)
The malware used for the attempted infection purported to be a legitimate video player, providing viewing software for security …
In this attack, attackers embedded the TDrop2 malware inside a legitimate video software package hosted on the software distributor’s website. By doing this, they were able to target organizations that relied on the distributor’s security camera solution and infect their systems with malware. They created a true Trojan horse, which sneaks into a network as a gift, but when opened, the attacker’s army leaps out.
Trojanized Video Player (Stage 1)
The malware used for the attempted infection purported to be a legitimate video player, providing viewing software for security …
IoC
01635C842F4CEE4E5A97FBA2341207B1372A4559
0EF3EC648B63BADADB6BA947E4F90F12C2C8B7E8
1B86A66A0A0D6A619D8F2CD1E2904EF7395B3F81
2356DB510C8C2D5F72945D3D0B9B826DA55AD93C4CD2461961888468EC2F1591
23637A57EA2F984AFAF991D4E90E3F4A
25D283BEA4136F07C13FF3902821A207A9F67A7F
285352CAD75DC32BAAE10ABF68005397
29289C19C414CF79E61E095C1500938A
3E9BFA7F4EFD3B5687872FEAE62138FAB14E4AF48E2A018C8113325C3D79D6CB
43EB1B6BF1707E55A39E87985EDA455FB322AFAE3D2A57339C5E29054FB52042
49A665D51E0F17C6554F11BE7ABCDCC98B94A68F6041FD02A74291540FC05A79
56C9BB7A7F3AF5F55F4E4FA94E8C6ACC
6270129B7EE49AEF969E8C18FAD584E7CB2E512E
6C53A43ACFB8F3A1C7B37EB614CBD89DD7E70DFE
7315E7FD14518B8A27750D5F717A9FA6BBA71880
8BB8E4193ED7A115B97046AFAA6CF371F237885F
A02E1CB1EFBE8F3551CC3A4B452C2B7F93565860CDE44D26496AABD0D3296444
A10CF8B278AF1BBC93E03E29908202197365792FCB0ADD8D02A1E0BDBF94121E
B67638C91EAE7DB255E41F7CC0CCE46B
C89A97B99063A74EEEA8B7288196CB96
E64443E3F3D86D0AB86DAEB0B9E51D2ADA44B23CEBEE68AF9889C8AC72D2ED97
EE878A8ADEE367371242D624F79531FCB81850A25AF0A46B1F82CFB5975F1C89
F6F3D7264F7478B472894B90A66EA2A2
http://mcm-yachtmanagement.com/installx/install_ok.php
http://www.combra.eu/includes/images/logo.jpg
http://www.junfac.com/tires/skin/tires.php
0EF3EC648B63BADADB6BA947E4F90F12C2C8B7E8
1B86A66A0A0D6A619D8F2CD1E2904EF7395B3F81
2356DB510C8C2D5F72945D3D0B9B826DA55AD93C4CD2461961888468EC2F1591
23637A57EA2F984AFAF991D4E90E3F4A
25D283BEA4136F07C13FF3902821A207A9F67A7F
285352CAD75DC32BAAE10ABF68005397
29289C19C414CF79E61E095C1500938A
3E9BFA7F4EFD3B5687872FEAE62138FAB14E4AF48E2A018C8113325C3D79D6CB
43EB1B6BF1707E55A39E87985EDA455FB322AFAE3D2A57339C5E29054FB52042
49A665D51E0F17C6554F11BE7ABCDCC98B94A68F6041FD02A74291540FC05A79
56C9BB7A7F3AF5F55F4E4FA94E8C6ACC
6270129B7EE49AEF969E8C18FAD584E7CB2E512E
6C53A43ACFB8F3A1C7B37EB614CBD89DD7E70DFE
7315E7FD14518B8A27750D5F717A9FA6BBA71880
8BB8E4193ED7A115B97046AFAA6CF371F237885F
A02E1CB1EFBE8F3551CC3A4B452C2B7F93565860CDE44D26496AABD0D3296444
A10CF8B278AF1BBC93E03E29908202197365792FCB0ADD8D02A1E0BDBF94121E
B67638C91EAE7DB255E41F7CC0CCE46B
C89A97B99063A74EEEA8B7288196CB96
E64443E3F3D86D0AB86DAEB0B9E51D2ADA44B23CEBEE68AF9889C8AC72D2ED97
EE878A8ADEE367371242D624F79531FCB81850A25AF0A46B1F82CFB5975F1C89
F6F3D7264F7478B472894B90A66EA2A2
http://mcm-yachtmanagement.com/installx/install_ok.php
http://www.combra.eu/includes/images/logo.jpg
http://www.junfac.com/tires/skin/tires.php