Phishing Emails Impersonating the National Tax Service (NTS)
AhnLab SEcurity intelligence Center (ASEC) has recently identified phishing emails impersonating the tax authority in Korea called National Tax Service (NTS, also known as Hometax). The email body is disguised as the contents of an electronic tax invoice, and the recipient is asked to open the attached HTML file for verification.
Phishing emails impersonating the NTS have been consistently distributed for a long time. The file name always includes “NTS_eTaxInvoice”. These phishing emails distribute various types of malware, including EXE, document, and LNK malware. ASEC has covered this topic in several blog posts.
-
Lokibot Malware Disguised as National Tax Service Email Being Distributed
-
Trend Report on Phishing Malware Impersonating the National Tax Service (NTS)
Figure 1. Phishing email body
In this case, the malware is being distributed through HTML files, all named “NTS_eTaxInvoice.html“. When the HTML file is executed, a page unrelated to the tax invoice is displayed, prompting users to enter their email account and password.
Figure 2. Screen shown when the HTML file is executed
Clicking the “View Document” button sends the user’s email account and password to the attacker’s chat room via a combination of a Telegram Bot Token and Chat ID embedded within the HTML file. Telegram is often used by attackers due to its ease of creation and management, and because it is free of charge.
Figure 3. Telegram Bot Token and Chat ID embedded in HTML (Top), Screen showing the information being sent to the threat actor’s chat room (Bottom)
Users must be extra cautious when opening emails from unknown sources. It is important to verify the sender’s identity and avoid clicking on suspicious links or opening attachments. Emails that request personal or financial information should be treated with extra care. Recently, there has been an increase in attackers using legitimate platforms as C2 servers, making these attacks harder to detect. Therefore, users need to be even more vigilant.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
