{
	"id": "848bcd71-0d24-466b-9a0d-02d7115d0b82",
	"created_at": "2026-04-06T00:11:57.710238Z",
	"updated_at": "2026-04-10T13:12:26.491486Z",
	"deleted_at": null,
	"sha1_hash": "b059237e5530a1311097a53059e6e5008b8c8c24",
	"title": "South Korean Financial Companies Targeted by Castov",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97985,
	"plain_text": "South Korean Financial Companies Targeted by Castov\r\nArchived: 2026-04-05 14:00:50 UTC\r\nThe financial malware landscape is constantly evolving, cybercriminals are becoming more knowledgeable about\r\nthe financial sector, and attacks are becoming more sophisticated. We’ve recently released a report, “The World of\r\nFinancial Trojans,” describing the different features and techniques used by banking malware. It would seem that\r\nthe choices made by the malware authors concerning these techniques and features depend on the cybercriminals’\r\nfinancial resources and market knowledge.\r\nIn most cases financial malware favors exploit kits as their infection vector. In the past few months we have been\r\nactively monitoring an exploit kit, called Gongda, which is mainly targeting South Korea. Interestingly, we have\r\ncome across a piece of malware, known as Castov, being delivered by this exploit kit that targets specific South\r\nKorean financial companies and their customers. The cybercriminals in this case have done their research on the\r\nSouth Korean online financial landscape.\r\nFigure 1. Heatmap of Gongda IPS detections for May 2013 (98% of hits are in South Korea)\r\nThe initial stage of this threat is Downloader.Castov and is compiled in Delphi with the ability to stop antivrius\r\nsoftware which, once inside a computer, will report the infection to its command-and-control (C\u0026C) server and\r\ndownload an encrypted file that is the second stage.\r\nThe second stage is Infostealer.Castov. The infostealer checks at specific offsets in a list of clean DLLs (all related\r\nto Korean online banking software and security) for opcode instructions and then patches those instructions. The\r\ninjected code checks strings that appear to be passwords, account details, and transactions. Once the data is found\r\nand collected, it will be sent to a remote server.\r\nhttps://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov\r\nPage 1 of 3\n\nTable 1. Targeted DLLs and actions taken\r\nAdditionally, the infostealer collects the digital certificates stored in the compromised computer’s NPKI directory\r\n(%ProgramFiles%\\NPKI). Those digital certificates are widely used in South Korea and are issued for financial\r\ngeneral purposes (individual/corporate) such as banking, credit card, insurance etc. They are unique to each user\r\nand are valid for one year.\r\nThe combination of screenshots, passwords, and digital certificates will allow the cybercriminals to access users’\r\nfinancial accounts.\r\nFigure 2. Heatmap of Castov antivirus detection from January to May 2013\r\nSymantec has the following protection in place for both Castov and Gongda:\r\nAntivirus protection:\r\nDownloader.Castov\r\nInfostealer.Castov\r\nhttps://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov\r\nPage 2 of 3\n\nIntrusion prevention protection:\r\nWeb Attack: Gongda Exploit Kit Website\r\nWeb Attack: Gongda Exploit Kit Website 2\r\nTo ensure the best protection, we recommend you use the latest Symantec Technologies and up to date antivirus\r\ndefinitions.\r\nSource: https://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-ca\r\nstov\r\nhttps://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov"
	],
	"report_names": [
		"south-korean-financial-companies-targeted-castov"
	],
	"threat_actors": [],
	"ts_created_at": 1775434317,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b059237e5530a1311097a53059e6e5008b8c8c24.pdf",
		"text": "https://archive.orkl.eu/b059237e5530a1311097a53059e6e5008b8c8c24.txt",
		"img": "https://archive.orkl.eu/b059237e5530a1311097a53059e6e5008b8c8c24.jpg"
	}
}