Infostealer Disguised as Well-Known Korean Web Portal File

The ASEC analysis team has discovered an infostelaer type malware disguised as a file related to a Korean web portal. The team found the file in the malicious URL used in recent phishing emails with the compressed file including an executable named ‘NaverProtector.exe’.

The email with the malicious URL contains information about Kakao account as shown below. When users click the <Lift Protection> button, they are redirected to hxxp://mail2.daum.confirm-pw[.]link/kakao/?email=[email address] and will have their account credentials stolen by the malware.

Figure 1. Phishing email

When users access the parent URL (hxxp:// of the URL existing in the phishing email, they are redirected to hxxp://[.]online/ and have the file downloaded.

Figure 2. file

The name and icon of the file are disguised as being related to a Korean web portal program.

Figure 3. File properties of NaverProtector.exe

When the file is run, it creates the %AppData%\Local\Microsoft\Outlooka folder and then drops and executes additional malicious files such as AWasctUI.exe and rdpclipe.exe.

AWasctUI.exe collects user PC information and sends it to the attacker while rdpclipe.exe performs keylogging. The file also creates the following link files within the Startup folder to allow each malicious file to be automatically run.

  • \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWastUI.exe.lnk      
  • \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rdpclipe.exe.lnk

When rdpclipe.exe is run, it creates COMMA1UP_RKey.txt in the \AppData\Local\Microsoft\Outlooka folder and saves logs such as users’ key entries.

Figure 4. Created COMMA1UP_RKey.txt file

When AWasctUI.exe is run, it uses the cmd /c systeminfo command to save the result in the Outlooka folder with the name SysInfo_UP_[day]_[Hour]_[min].pdf.

Figure 5. Created SysInfo_UP_[day]_[Hour]_[min].pdf file

The file then executes the tree command through powershell to search drives from A to Z and saves the list of folders and files within the subdirectory of the each drive folder in the file named UP[drive name].

$dir = 'C:\Users\vmuser\AppData\Local\MICROS~1\Outlooka\';
$gps = @('A','B','C','D','E','F','G','H','I','H','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z');
foreach ($gp in $gps){$drv = $gp + ':\';
$path = $dir + '\UP' + $gp;
tree /f "$drv" | Out-File -Encoding default -FilePath $path -Width 5000;} }

It then sends the collected information such as files containing the name ‘UP’ in the Outlooka folder (COMMA1UP_RKey.txt and UP[drive name]) to hxxp://66.94.98[.]48/ESOK/post2.php.

Figure 6. Screen for information sending packet

Also, the following information is saved in the nlashine.ini file, which is used in the filename when sending the collected information.

idnx=[(PC name)](user name)[IP address](random value)

Content of nlashine.ini

As the malicious file accesses 66.94.98[.]48/ESOK/dwn.php?downfname=[(PC name)](user name)[IP address](random value) to download additional data and save it in AppData\Local\MICROS~1\Outlooka\dwn.dat, there is a possibility of the malware performing other malicious behaviors besides leaking information.

As NaverProtector.exe drops OTPGenerator.exe in the TEMP folder and runs the program along with the malicious files mentioned above, it is difficult for users to realize that malware is being run.

Figure 7. Execution screen of OTPGenerator.exe

Since the malware discussed in this post is disguised as a program related to a Korean web portal, it is likely that it is targeting Korean users. As malicious files pretending to be normal files are constantly being distributed, users need to take extra caution.

V3 detects and blocks the malware using the aliases below.

[File Detection]

  • Dropper/Win.Agent
  • Infostealer/Win.Agent
  • Trojan/Win.KeyLogger

[IOC Info]

  • 2b695c8132a1ab1b4014b4fc2f4a2eb4
  • 7b9810dc2faf3e285aafc521d12b11c7
  • 90bb1658ae192ea30c270a0636428995
  • hxxp://mail2.daum.confirm-pw[.]link
  • hxxp://66.94.98[.]48/ESOK/dwn.php
  • hxxp://66.94.98[.]48/ESOK/post2.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 2 votes
Article Rating
Notify of

Inline Feedbacks
View all comments