A group named OnionDog has been infiltrating and stealing information from the energy, transportation and other infrastructure industries of Korean-language countries, researchers said.
OnionDog’s first activity traces back to October, 2013 and in the following two years it was only active between late July and early September, said researchers at the Helios Team at 360 SkyEye Labs.
As an attack scenario, OnionDog malware transmits by taking advantage of the vulnerability of the popular office software Hangul in Korean-language countries, and it attacked network-isolated targets through a USB worm.
OnionDog concentrated its efforts on infrastructure industries in Korean-language countries, researchers said. In 2015 this organization mainly attacked harbors, VTS, subways, public transportation and other transportation systems.
In 2014 it attacked electric power and water resources corporations as well as other energy enterprises.
The Helios Team found 96 groups of malicious code, 14 C&C domain names and IP related to OnionDog. It first surfaced in October 2013, and was most active in the summers of the following years. The Trojan set its own “active state” time, the shortest of which was three days and the longest of 29 days. The average life cycle is 15 days, which makes it more difficult for victims to notice and take actions than those active for longer period of time.
OnionDog’s attacks are mainly carried out in the form of spear phishing emails. The early Trojan used icons and file numbers to create a fake HWP file (Hangul’s file format). Later on, the Trojan used a vulnerability in an upgraded version of Hangul, which imbeds malicious code in a real HWP file. Once the file opens, the vulnerability will trigger to download and activate the Trojan.
Since most infrastructure industries, such as the energy industry, generally adopt intranet isolation measures, OnionDog uses the USB disk drive ferry to break the false sense of security of physical isolation – or air gap.
In the classic APT case of the Stuxnet virus, which broke into an Iranian nuclear power plant, the virus used an employee’s USB disk to circumvent network isolation. OnionDog also used this channel and generated USB worms to infiltrate the target internal network.
When the OnionDog Trojan releases it communicates to a C&C (Trojan server), download other malware and save them in the %temp% folder and use “XXX_YYY.jpg” uniformly as the file name. These names have their special meaning and usually point to the target.
All signs show that OnionDog has strict organization and arrangement across its attack time, target, vulnerability exploration and utilization, and malicious code. At the same time, it is very cautious about covering up its tracks, researchers said.
In 2014, OnionDog used many fixed IPs in South Korea as its C&C sites. Of course, this does not mean the attacker is in South Korea. These IPs could be puppets and jumping boards. By 2015, OnionDog website communications were upgraded to Onion City across the board.
In view of OnionDog’s pattern of activity, researchers said it is likely they will find a new round of attacks this summer. The relevant threat intelligence and technical analysis report will go up on 360’s Intelligence Center.