VERY IMPORTANT

On September 18, 2015, we saw an activity on koreatimes.com where we captured a malicious binary. We investigated further and found that this campaign is specifically targeted to Korean sites and Korean banks. The payload we got also specifically targets Korean banks by modifying the infected systems hosts file to redirect traffic from Korean banks to its controlled server. This means the attacker can craft a phishing website without the user knowing it is visiting a phishing site. It also targets Ahnlab by killing processes and deleting files specific to the software. Ahnlab is a popular antivirus software in South Korea.