ESTsecurity Corp. said it detected a sophisticated spear phishing (an information theft attack that targets specific victims) campaign aimed at corporate managers and urged corporations to be cautious.
ESTsecurity Corp. said on the 15th that through the Advanced Persistent Threat (APT) detection system operated by the ESTsecurity Response Center (ESRC), it detected a targeted malicious email attack that exploited the theme of "request to check suspected personal information leak."
Unlike past methods that randomly distributed malware to an unspecified number of people, this attack is characterized by a classic "social engineering" technique that, after exchanging multiple normal emails with a working-level manager at a specific corporation and building trust, lures the person into executing a malicious file.
In the first attempt, when the malicious L.I.N.C in the email was blocked by the corporation's security solution, the attacker reassured the manager by saying, "Our in-house security team's inspection found no issues, and it appears to be a false positive," then resent the malware in a password-protected compressed file to evade antivirus monitoring.
When a user unzips the file and runs a malicious Windows shortcut (LNK) file disguised as a regular document, 32-bit PowerShell is forcibly invoked in the background to evade detection by some security solutions. To the user's eye, a normal Excel or PDF customer status document appears, but in reality, the structure steals system information and carries out additional malicious actions.
ESRC said that a close analysis of three collected malicious samples found they all shared the same internal structure and a decoy document (disguised as a customer status file). It added that this is similar to the typical attack methods of the North Korea-linked hacking group Kimsuky.
An ESRC official said, "This attack used 'personal information leakage,' the top concern and vulnerability of security managers, as its pretext to avoid suspicion," and added, "If the sender is an outsider, be especially careful when opening attachments or running L.I.N.C even if the conversation seems natural."
The official added, "If someone claims a file blocked once by a security solution is a false positive and resends it as a password-protected archive, it is a clear sign of an attack and must never be executed."