Lokibot Malware Disguised as National Tax Service Email Being Distributed

The ASEC analysis team has recently discovered that malicious emails disguised as Hometax are consistently being distributed. The sender address used in the email is hometaxadmin@hometax.go[.]kr or hometaxadmin@hometax[.]kr, identical to the case found last year, and the email contains electronic tax invoice related materials.

Figure 1. Email that is being distributed 1

Figure 2. Email that is being distributed 2

This type of email has consistently been distributed. In last year’s case, the email had PPT file as an attachment that has malicious macro included, but recently, it is being distributed in the form of a compressed malicious executable.

Inside the compressed file attached to the email, there is an executable (see figure below). The filename includes the same date as the date of publication written in the email.

Figure 3. Compressed file attached to the email

Figure 4. exe file that exists inside the compressed file

Both attachment files are Lokibot malware. However, as each file is in the form of VB and NSIS, it appears that the attacker is developing various forms of malware. Upon running the file, it sends information of programs such as web browsers, email clients, and FTP clients to hxxp://63.250.34[.]171/tickets.php.

As there have been continuous distributions of malware disguised as the National Tax Service, users must take extra caution. As the sender address is similar to the actual address of the National Tax Service, it is difficult for users to figure out that it is a phishing email. Users should scan these files using anti-malware programs firsthand, and refrain from immediately running the files attached to the email.

[V3 Detection]

  • Trojan/Win.VBKrypt.R454818
  • Malware/Win.Generic.C4802414

[Relevant IOC Info]

  • e779a8be256d298c6d96884724d7792b
  • 9ff3b37069e0772af03732b022c02789
  • hxxp://63.250.34.171/tickets.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments