ahn_201307.pdf (10 MB)

AhnLab’s analysis of the June 25, 2013 cyberattack describes DDoS activity against South Korean government and media-related targets beginning at 10:00 local time. One attack path used malware distributed through modified webhard installer and update files to turn user PCs into bots, then used C&C instructions to direct traffic at DNS servers supporting government websites. A second path used malicious scripts injected into websites so visitors generated attack traffic while browsing, and the report also notes Apache Range DoS activity against selected media, political-party, and related domains. The excerpt includes malware staging details such as service-style DLL execution, creation of wuauieop.exe, and downloads from webmail.genesyshost.com and hostmypic.net, giving defenders concrete host and network behaviors to validate.