<— Back

TA505, Dridex and Squid Game

KISA (Korea Internet & Security Agency) is a government agency in Korea that carry out improvemnet of Internet, Information Security, and International Cooperation service about ICT. Specifically, it is running it KISC (Korea Internet Security Center), which is CERT as like to CISA in America, and takes role on prevention and countermeasure of cyber attacks targetting private sector’s ICT infrastructure. It mainly is serving countermeasure and analysis of hacking incidents that occur in the private sector, and spreads “Alert-State” on detected threats to them. In addition, by operating the Cyber Security Big Data Center, it analyzes and processes the acquired accident data to create an AI dataset and shares it with the private sector, enabling it to carry out a variety of tasks, such as fostering intelligence in the cbyer security.

SANDS Lab is a provider of cyber threat intelligence in South Korea. It is also an affiliated member of the CTA (Cyber Threat Alliance). It offers a service called “malwares.com” that is collecting, analyzing, and sharing around 2 million of IoCs (Indicator of Compromised) that are collected every day on all over the world. During the past 18 years, almost 2 billion malware have been collected and analyzed, and it provides analysis report for 30 billion IoCs. It posseses a variety of AI-based profiling technologies including its technical know-how of static and dynamic malware analysis, and then offers Intelligence Information to around 900 local and international clients.

In 2021, the KISA and SANDS Lab collaborated on a project to build the AI-datase in order to research and develop artificial intelligence models applicable to in the Cyber Security. Over 800 million datasets (source data and meta data) have been built on malware and cyber security incidents, which have many uses in the modern cyber security technology. And now, we preparing open different of artificial intelligence models and the AI-dataset.

SANDS Lab developed “AI-based Binary Reverse Engineering-based Attacker, Attack Technique Profiling (DBP: Deep Binary Profiler)” while building the above the AI-dataset. And, we achieved NET (New Excellent Technology) certification from Korean government by acknowledging the technological superiority. This technology extracts and trains various function-based features extracted through the disassembly process from the various collected binaries, identifies how similar it is to the existing attack techniques based on the code-based features, and as a result, the technique is able to detect and prevent attacks and identify even an attacker who has implemented the technique. With the “DBP” technology and “datasets” that was built, we could find out the tracking information of different threat actors who are operating significant attack campaigns around the world. It is a representative case that we have tracked the “Dridex malwares” exploiting keywords of “Squid Game”, a Korean Netflix series that became popular last October in the world. These attack groups have features using a technique so-called “social engineering” to spread malwares, which steals the personal information of a number of random people by exploiting the interests and social concerns of the victims. Sometimes they are called as TA575, but we also discovered something relations that in there could locate indicators like the Dridex-series samples dispersed by the TA505 attack group. So, we tried to analysis and trace the group of TA575 with our dataset and technology (DBP).

Consequently, we could inference that the attack campaign of Dridex distribution with the keyword “Squid Game” is associated with the TA505 attack group. To explain this inference, we present the technical genealogy by comparing the coding similarity between the malware samples used in the “Squid Game” campaign and the Dridex ones utilized by the TA505 group.