HNS-WI-13-025.pdf (654 KB)

The 6.25 DNS DDoS malware used compromised Simdisk distribution infrastructure to infect PCs and redirect DNS amplification traffic toward South Korean government DNS servers. The report, based on Fortinet's analysis, says the SimDisk_setup.exe package dropped SimDiskup.exe and downloaded c.jpg from the compromised server path /images/korea.c.jpg; that payload became simdisk.exe and unpacked alg.exe, explorer.exe, and config.ini. The malware used Tor 0.2.3.25 components and multiple hardcoded .onion URLs to retrieve the DDoS payload, then checked file-mapping objects and system architecture before dropping a service-loaded DLL and the Themida-packed wuauieop.exe. After the hardcoded 25 June 10:00 trigger, the payload launched DNS amplification by sending roughly 20,000 randomized DNS queries whose responses were directed at ns.gcc.go.kr and ns2.gcc.go.kr, and the timing and execution logic resembled elements seen in the 3.20 cyber attacks.