Infostealer Disguised as Copyright Infringement Document Distributed in Korea

AhnLab SEcurity intelligence Center (ASEC) has confirmed that Infostealer malware disguised as a document containing legal responsibilities and copyright infringement facts is continuously being distributed in Korea. It is mainly distributed through links in email attachments, and the email instructs the recipients to download the evidence related to the copyright infringement.

• Link in Email Attachment (1)
  hxxps://tr[.]ee/3FKnsw
• Link in Email Attachment (2)
  hxxps://laurayoung2169944-dot-yamm-track.appspot[.]com/2gwdQgyj0E2vzqvbGg2Q8Vfawz52qe38tVH-Y92ZoVgBqJibClgEzOCbYyqGbTJh0dKhw8GQbFc_Fesz7f9zrLq-2V-eP1KMh9_AEWIYxXvJBaYeQMZELdDvNm3D-jXjmCZhpz_vekp6k6wRmVhQAy8E8tvBKAmido8oujb3kXgIEfYHLKv2LcSBPU3qzwd3tG0yoQroSnpBWvxoJ0Cigir-WRpFZtmNqF9GzWiYvcbQYCA_FW112o2ZfGIvFBZS2YBmvm5iJcYtbCXPbhF_PffE2uiWA

Figure 1. Distributed email (1)
(Content: A notice warning copyright infringement)

Figure 2. Distributed email (2)
(Content: A warning on copyright infringement)

The malware being distributed can be largely categorized into two types based on their execution methods, and both are being distributed in the form of compressed files.

Type 1: DLL Side-Loading

The first type uses the DLL Side-Loading technique. This technique involves placing a malicious DLL that is referenced by a legitimate application in the same folder, so that the malicious DLL is executed when the legitimate application is run. The following are some of the file names being distributed.

• File Name for Distribution
  Definite evidence helps to confirm the criminal behavior.zip
  Evidence supporting ownership rights.zip
  Evidence verified through the investigation.zip
  Documents and evidence of intellectual property rights infringement.zip
  Document proving intellectual property rights infringement.zip

Figure 3. Distributed file (1)
(Definite evidence helps to confirm the criminal behavior.zip)

Figure 4. Distributed file (2)
(Documents and evidence of intellectual property rights infringement.zip)

Figure 5. Distributed file (3)
(Evidence verified through the investigation.zip)

The compressed file contains a legitimate EXE (PDF Reader program) and a malicious DLL. When a user executes the EXE file, the malicious DLL is loaded, activating the Rhadamanthys Infostealer. Rhadamanthys performs DLL injection into legitimate Windows system programs and ultimately exfiltrates information related to email, FTP, online banking services, etc., and transmits it to the threat actor’s server.

• Injection Target Processes
  %Systemroot%\system32\openwith.exe
  %Systemroot%\system32\dialer.exe
  %Systemroot%\system32\dllhost.exe
  %Systemroot%\system32\rundll32.exe
   

Type 2: Double Extension

The second type uses a double extension to disguise the file as a document file. Most operating systems hide extensions by default, so an EXE file can be disguised as a document file by showing it as “.pdf”, “.docx”, etc. Some of the file names being distributed are listed below.

• File Names Being Distributed
  Evidence and Detailed Information on Copyright Infringement.zip
  Documents Proving the Violation Have Been Collected (1).zip
  Copyright Infringement and Data Information.zip

Figure 6. Distributed file (3)
(Evidence and Detailed Information on Copyright Infringement.zip)

Figure 7. Distributed file (4)
(Copyright Infringement and Data Information.zip)

Figure 8. Distributed file (5)
(Documents Proving the Violation Have Been Collected (1).zip)

The compressed file contains a malicious EXE file and a text file. The EXE file is disguised as a PDF document using a double extension, and the text file contains a message prompting users to execute the malicious EXE file. When a user executes the malicious EXE file, the Infostealer malware is activated and uses a Powershell command to terminate a specific process. Ultimately, user information such as browser account credentials and screen captures are stolen and transmitted to the threat actor’s server.

• Processes targeted for termination
  ksdumperclient, regedit, ida64, vmtoolsd, vgauthservice, wireshark, x32dbg, ollydbg, vboxtray, df5serv, vmsrvc, vmusrvc, taskmgr, vmwaretray, xenservice, pestudio, vmwareservice, qemu-ga, prl_cc, prl_tools, joeboxcontrol, vmacthlp, httpdebuggerui, processhacker, joeboxserver, fakenet, ksdumper, vmwareuser, fiddler, x96dbg, dumpcap, vboxservice

Figure 9. Text file
(Content: A warning on possible copyright infringement)

In addition, the investigation of the Infostealer type that disguised itself as copyright infringement is being distributed in a similar form overseas. The target countries include Thailand, Hungary, Portugal, Greece, and Japan.

• File Name
  違反を示す証拠/違反を示す証拠.pdf.exe (Evidence of Violation/Evidence of Violation.pdf.exe)
  -เอกสารร้องเรียนเกี่ยวกับการละเมิดลิขสิทธิ์.exe (Copyright Infringement Complaint Document.exe)
  A nyomozási folyamat bizonyítéka.exe (Evidence of Investigation Process.exe)
  Prova de violação após investigação.exe (Evidence of Violation After Investigation.exe)
  Αποδεικτικά στοιχεία παραβίασης .exe (Violation Evidence.exe)
   

The file names being distributed are designed to make users feel psychological pressure or fear, prompting them to execute the files. Even if a legitimate program is executed, a malicious DLL may also be loaded. Users should avoid executing suspicious files received via email or messenger.

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.