cfile9.uf136A793E4E3BA0FE059C9E.pdf (507 KB)

The SK Communications breach analysis traces a NateOn-themed malware chain that used `nateon.exe` to install `winsvcfs.dll` as a service-based RAT. The loader modified its own PE header so the binary could operate as a DLL, wrote the result under an All Users path, copied `kernel32.dll` timestamps for camouflage, and launched it through `RUNDLL32.EXE` with the `RqSkce` export. The RAT decrypted its strings and C2 settings at runtime, attempted port-80 communication with `nateon.duamlive.com` after checking `download.windowsupdate.com`, and registered persistence through `svchost.exe -k LocalService` service keys. Its command set covered database queries, registry manipulation, network and socket operations, service control, file operations, screenshots, process/module enumeration, command execution, and system power/session actions, supporting the report’s description of malware used in the breach that exposed about 35 million Nate user records.