The ASEC analysis team has recently discovered that malicious emails disguised as Hometax are consistently being distributed. The sender address used in the email is firstname.lastname@example.org[.]kr or hometaxadmin@hometax[.]kr, identical to the case found last year, and the email contains electronic tax invoice related materials.
This type of email has consistently been distributed. In last year’s case, the email had PPT file as an attachment that has malicious macro included, but recently, it is being distributed in the form of a compressed malicious executable.
Inside the compressed file attached to the email, there is an executable (see figure below). The filename includes the same date as the date of publication written in the email.
Both attachment files are Lokibot malware. However, as each file is in the form of VB and NSIS, it appears that the attacker is developing various forms of malware. Upon running the file, it sends information of programs such as web browsers, email clients, and FTP clients to hxxp://63.250.34[.]171/tickets.php.
As there have been continuous distributions of malware disguised as the National Tax Service, users must take extra caution. As the sender address is similar to the actual address of the National Tax Service, it is difficult for users to figure out that it is a phishing email. Users should scan these files using anti-malware programs firsthand, and refrain from immediately running the files attached to the email.
[Relevant IOC Info]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.