Summary:
The article discusses a significant rise in phishing emails impersonating the National Tax Service (NTS) during tax filing periods, particularly in 2024. These emails often manipulate sender addresses and include malicious attachments or links. Various file formats are used to execute different malicious behaviors, highlighting the need for users to be vigilant during tax season.
#PhishingScams #TaxSeasonThreats #EmailSecurity
The article discusses a significant rise in phishing emails impersonating the National Tax Service (NTS) during tax filing periods, particularly in 2024. These emails often manipulate sender addresses and include malicious attachments or links. Various file formats are used to execute different malicious behaviors, highlighting the need for users to be vigilant during tax season.
#PhishingScams #TaxSeasonThreats #EmailSecurity
Keypoints:
Phishing emails impersonating the NTS have increased significantly in 2024.
Threat actors manipulate sender email addresses to appear legitimate.
Malicious files are attached in various formats, or hyperlinks are embedded in the emails.
Eight file formats are commonly used, each executing different malicious behaviors.
DLL files are distributed in compressed files, often disguised as legitimate applications.
CHM files execute malicious scripts that can lead to further malware downloads and system compromise.
Users are advised to exercise caution, especially during tax payment periods.
MITRE Techniques:
Phishing (T1566): Utilizes deceptive emails to trick users into executing malicious files or visiting harmful links.
Execution (T1203): Executes malicious scripts through various file formats, such as CHM and DLL.
Credential Dumping (T1003): Leaks user account credentials to a command and control server via HTML files.
Command and Control (T1071): Communicates with compromised systems through encoded PowerShell commands and other scripts.
Data Encrypted for Impact (T1486): Uses malware to encrypt or steal sensitive user information.
IoC:
[file hash] 05837a48b135d663e59ecc9f8b472296
[file hash] 0b7a0d57437157f8695fdb1b3eb43186
[file hash] 0d641051aa6752349e65d81c4a8d4ed0
[file hash] 1432d0d6ef98a0e39954d44784c646de
[file hash] 1c7db662e63fce6fb8122e5ff26a2f1d
[file name] NTS_eTaxInvoice.zip
[file name] NTS_eTaxInvoice.chm
[file name] NTS_eTaxInvoice.exe
[tool name] XWorm
Full Research: https://asec.ahnlab.com/en/84968/