Dissecting operation Troy: Cyberespionage in South Korea
2013-07-08 • Mcafee •
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf
Attachments
McAfee Labs links the March 20, 2013 Dark Seoul disruption to a longer Operation Troy espionage campaign against South Korean targets rather than a standalone wiping incident. The report says attackers likely gained remote access before the attack through spear-phished remote-access malware, then distributed a dropper that downloaded and executed MBR-wiping components across banks and news agencies. Evidence includes compile-time sequencing, Roman-themed strings such as “principes” and “hastati,” a “Make Troy” build path, and overlap between NewRomanic Cyber Army-themed wipers and material associated with the Whois Hacking Team defacement. Attribution remains unresolved in the excerpt, but the claimed groups are assessed as likely fabrications intended to misdirect investigators while the activity combined espionage access with destructive impact.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | f0e045210e3258dad91d7b6b4d64e7f3 | 2013-04-02 | 2020-03-09 |
| URL | http://www.wischik.com/lu/progr… | 2013-07-08 | 2013-07-08 |
| DOMAIN | dennisoneil.net | 2013-07-08 | 2013-07-08 |
| DOMAIN | daeilho.net | 2013-07-08 | 2013-07-08 |
| DOMAIN | take.chu.jp | 2013-07-08 | 2013-07-08 |
| DOMAIN | mupa.co.kr | 2013-07-08 | 2013-07-08 |
| DOMAIN | apsumo.co.kr | 2013-07-08 | 2013-07-08 |
| DOMAIN | strider.pe.kr | 2013-07-08 | 2013-07-08 |
| DOMAIN | solarshare.co.kr | 2013-07-08 | 2013-07-08 |
| DOMAIN | hanja.edu.com | 2013-07-08 | 2013-07-08 |
| DOMAIN | kairoshairstory.com | 2013-07-08 | 2013-07-08 |
| DOMAIN | ejiweb.com | 2013-07-08 | 2013-07-08 |
| DOMAIN | djuna.cine21.com | 2013-07-08 | 2013-07-08 |
| DOMAIN | dochang.pe.kr | 2013-07-08 | 2013-07-08 |
| DOMAIN | byonshop.com | 2013-07-08 | 2013-07-08 |
| DOMAIN | babcom-h1.bluethunder.co | 2013-04-24 | 2013-07-08 |
| DOMAIN | qitaegyo.com | 2013-04-24 | 2013-07-08 |
| DOMAIN | toneharbor.com | 2013-04-24 | 2013-07-08 |
| DOMAIN | traveler.foxlink.com | 2013-04-24 | 2013-07-08 |
| DOMAIN | gcglobal.com | 2013-04-24 | 2013-07-08 |
| DOMAIN | delmundo.kr | 2013-04-24 | 2013-07-08 |
| DOMAIN | lawbookcenter.co.kr | 2013-04-24 | 2013-07-08 |
| DOMAIN | nowq.net | 2013-04-24 | 2013-07-08 |
| DOMAIN | theumin.net | 2013-04-24 | 2013-07-08 |
| DOMAIN | sujewha.com | 2013-04-24 | 2013-07-08 |
| HASH | 9263e40d9823aecf9388b64de34eae54 | 2013-03-21 | 2013-07-08 |
| HASH | db4bbdc36a78a8807ad9b15a562515c4 | 2013-03-20 | 2013-07-08 |
| HASH | 5fcd6e1dace6b0599429d913850f0364 | 2013-03-20 | 2013-07-08 |