Short Summary:
The AhnLab Security Intelligence Center (ASEC) reports a rise in phishing emails impersonating major Korean entertainment agencies. These emails trick recipients into clicking a link that downloads a Python-based Infostealer disguised as a PDF. The malware collects sensitive information and sends it to the threat actor’s Telegram chat room.
Key Points:
- ASEC releases phishing email statistical reports.
- Phishing emails impersonate Korean entertainment agencies.
- Threat actors use fake notices about unauthorized image use to lure victims.
- Malware is disguised as a PDF file using a misleading file name.
- The Infostealer collects various system and user data.
- Users are advised to be cautious with unknown emails and attachments.
- It is recommended to always display file extensions to identify potential threats.
MITRE ATT&CK TTPs – created by AI
- Infostealer – T1056
- Collects system information, browser data, messenger information, and screen captures.
- Sends collected data to the threat actor’s Telegram chat room.
- Masquerading – T1036
- Disguises the malware as a PDF by changing the icon and manipulating the file name.
AhnLab SEcurity Intelligence Center (ASEC) releases weekly and quarterly phishing email statistical reports on the ASEC blog, with fake login, delivery, and purchase order request types being the most common. However, it has been confirmed that phishing emails impersonating major Korean entertainment agencies have recently been distributed in Korea. The threat actor disguised the message as a notice about the unauthorized use of their images in Facebook and Instagram ads, prompting recipients to click a hyperlink to check which photos were used.
Figure 1. Phishing emails
Clicking the link generates a Python-based Infostealer, disguising it as a PDF by changing the icon to a PDF and adding numerous spaces in the file name to hide the application (EXE) extension. As shown in the figure below, when many spaces are added, the file name is obscured by “…” unless clicked on, and the threat actor exploits this by filling in “.pdf” before it is obscured to deceive users into thinking it is an actual PDF file.
Figure 2. Malware disguised as a PDF file
Upon execution, it displays a normal PDF document unrelated to copyright infringement and collects system information, browser data, messenger information, screen captures, Steam information, and more, sending them to the threat actor’s Telegram chat room.
Figure 3. PDF file displayed upon execution
As such, it is crucial to exercise caution when viewing emails and handling attachments from unknown sources, and if an attachment is downloaded, users should refrain from executing unknown files. Additionally, users must set their system to always display file extensions as shown in the picture below and be suspicious if the attached file is an EXE.
Figure 4. How to show file extension
Source : https://asec.ahnlab.com/en/83953/