Proprietary 2013-07-09 · 1 day ·Ddos, Backdoor

SimDisk auto-update delivered DDoS malware

Attackers abused SimDisk's auto-update path during the June 2013 South Korea attacks. The update installed malware used for DDoS and remote control.

Story

SimDisk was a South Korean cloud-storage and file-sharing client with an auto-update feature. During the 2013 South Korea attack wave, researchers linked malware delivery to an update installer retrieved from the SimDisk website.

The distribution method made the attack efficient. Users did not need to visit a phishing site or install a new product; the trusted client update channel supplied the malicious component. That placed SimDisk alongside other Korean software-update abuse in the DarkSeoul period.

Public reporting tied the malware to DDoS activity against South Korean government and media targets around the anniversary of the Korean War. The same threat cluster is commonly associated with destructive and disruptive operations against South Korean banks, broadcasters, and government sites.

The record is kept narrow. It tracks the SimDisk update channel and the DDoS/backdoor payload path, not every DarkSeoul operation or every wiper used in 2013.

Affected Artifacts

SimDisk_setup.exe

simdisk updater · simdisk.co.kr · Binary Archive

Observed: 2013-07-09 to 2013-07-10
Compromised Versions: Unknown
Fixed: Not listed
Evidence: file: SimDisk_setup.exe, family: DarkSeoul, family: Koredos

Incident Context

Motive: Disruption
Attribution: State
Cause: Update Infrastructure Compromise
Transitive: No
Actor: DarkSeoul cluster
Actor Country: North Korea

External References

SimDisk malware attackblog.avast.com
Four years of DarkSeoul cyberattacks against South Korea continue on anniversary of Korean Warsymantec.com
South Korean cyberattacks mark anniversary of DarkSeoulzdnet.com
Last-minute paper: Reveal the facts behind the DDoS attackvirusbulletin.com

Source record: proprietary/simdisk/meta.yaml