Lokibot Malware Disguised as National Tax Service Email Being Distributed
The ASEC analysis team has recently discovered that malicious emails disguised as Hometax are consistently being distributed. The sender address used in the email is hometaxadmin@hometax.go[.]kr or hometaxadmin@hometax[.]kr, identical to the case found last year, and the email contains electronic tax invoice related materials.
Figure 1. Email that is being distributed 1
Figure 2. Email that is being distributed 2
This type of email has consistently been distributed. In last year’s case, the email had PPT file as an attachment that has malicious macro included, but recently, it is being distributed in the form of a compressed malicious executable.
Inside the compressed file attached to the email, there is an executable (see figure below). The filename includes the same date as the date of publication written in the email.
Figure 3. Compressed file attached to the email
Figure 4. exe file that exists inside the compressed file
Both attachment files are Lokibot malware. However, as each file is in the form of VB and NSIS, it appears that the attacker is developing various forms of malware. Upon running the file, it sends information of programs such as web browsers, email clients, and FTP clients to hxxp://63.250.34[.]171/tickets.php.
As there have been continuous distributions of malware disguised as the National Tax Service, users must take extra caution. As the sender address is similar to the actual address of the National Tax Service, it is difficult for users to figure out that it is a phishing email. Users should scan these files using anti-malware programs firsthand, and refrain from immediately running the files attached to the email.
[V3 Detection]
- Trojan/Win.VBKrypt.R454818
- Malware/Win.Generic.C4802414
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
