South Korean Universities Targeted by PinkStats Malware

PinkStats infects computers, downloads additional programs and reports back to a central server, says security firm Seculert.

A Chinese attack tool, dubbed PinkStats, is being actively used to infect South Korean university networks and install denial-of-service attack tools, security firm Seculert stated in a June 25 analysis of the malware.

PinkStats has infected at least 1,000 computer systems, mostly in educational institutions within the country, using a technique known as Address Resolution Protocol (ARP) poisoning to insert data into network requests and infect additional systems in the compromised network.

Several Chinese-speaking groups are using the malware and the command-and-control server software to manage a number of campaigns, Aviv Raff, chief technology officer for Seculert, told eWEEK. Although no evidence exists that the groups have any relationship with the Chinese government, the tools are in Chinese and the attackers appear to be focused on strategically important targets for China, he said.

"They are trying to get into the network to gain more computational power in addition to gaining access to intellectual property from those universities," Raff said. "My guess is that this is more likely hacktivists working under nation-states, rather than cyber-criminals, because they don't just try to infect machines opportunistically."

The issue of nation-state hacking has become a major political issue. In early June, high-level diplomatic talks between the United States and China addressed cyber-attacks and the theft of intellectual property from U.S. companies. While U.S. politicians blame China for the epidemic of attacks that have taken terabytes of information from corporate and government services, Chinese officials have pointed to evidence connecting the U.S. with the Stuxnet attack on Iranian nuclear processing capability.

Smaller nations have become a hotbed of hacking activity as well. Destructive cyber-attacks against a Saudi Arabian oil conglomerate and massive denial-of-service attacks against U.S. financial institutions have been blamed on Iran. Meanwhile, North Korea has allegedly mounted its own campaign of destructive attacks against South Korea.

PinkStats may be related to the latter campaign. The Chinese tool downloads a program known as "Zxarps," which allows the attackers to use ARP poisoning to infect other machines on the network. In such an attack, a compromised machine can use the ARP to redirect traffic from its intended recipient to the infected systems. The technique allows the attacker to send malicious traffic to other potential victims and further infect a network.

The malware's aim of building a botnet within South Korean education institutions capable of conducting a massive denial-of-service attack is the first evidence that Chinese actors may be behind attacks on South Korea, Raff stated in the blog post.

"While it was speculated that the Chinese are behind the recent DDoS [distributed denial-of-service] attack against South Korea's critical infrastructure, PinkStats seems to be the first real proof that Chinese-speaking adversaries are indeed targeting South Koreans," he stated.

The malware uses digital signatures to fool users into installing additional components, including using a signature for a nonexistent company with "Microsoft Corporation" as the product name.

To date, the attackers have not used the DDoS attack functionality, Raff said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...