Warning Against Phishing Emails Impersonating Major Korean Entertainment Agencies
AhnLab SEcurity Intelligence Center (ASEC) releases weekly and quarterly phishing email statistical reports on the ASEC blog, with fake login, delivery, and purchase order request types being the most common. However, it has been confirmed that phishing emails impersonating major Korean entertainment agencies have recently been distributed in Korea. The threat actor disguised the message as a notice about the unauthorized use of their images in Facebook and Instagram ads, prompting recipients to click a hyperlink to check which photos were used.
Figure 1. Phishing emails
Clicking the link generates a Python-based Infostealer, disguising it as a PDF by changing the icon to a PDF and adding numerous spaces in the file name to hide the application (EXE) extension. As shown in the figure below, when many spaces are added, the file name is obscured by “…” unless clicked on, and the threat actor exploits this by filling in “.pdf” before it is obscured to deceive users into thinking it is an actual PDF file.
Figure 2. Malware disguised as a PDF file
Upon execution, it displays a normal PDF document unrelated to copyright infringement and collects system information, browser data, messenger information, screen captures, Steam information, and more, sending them to the threat actor’s Telegram chat room.
Figure 3. PDF file displayed upon execution
As such, it is crucial to exercise caution when viewing emails and handling attachments from unknown sources, and if an attachment is downloaded, users should refrain from executing unknown files. Additionally, users must set their system to always display file extensions as shown in the picture below and be suspicious if the attached file is an EXE.
Figure 4. How to show file extension
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
