phishing

LockBit Ransomware Being Distributed Using Resume and Copyright-related Emails

The ASEC analysis team has recently discovered ransomware that is being distributed emails after disguising itself as resumes or copyright-related claims. The malicious emails with such content have been steadily distributed from the past. Unlike previous emails that distributed Makop ransomware, current cases have LockBit instead. Makop Ransomware Distributed As Copyright Violation Related Materials Makop Ransomware Disguised as Resume Being Distributed in Korea The emails that are confirmed for the distribution of malware have compressed files with passwords. As shown…

Increased Phishing Attacks Disguised as Microsoft

The ASEC analysis team has recently discovered phishing emails disguised as Microsoft login pages. As shown in the figure below, one of the collected samples is disguised as the company’s voice message to prompt users to click the attached playback file. Clicking the file redirects users to a phishing webpage disguised as a Microsoft login page. Another sample is an attachment disguised as a file that is sent with a scanner, prompting users to click the attachment. Again, clicking the…

Phishing Email Disguised as a Well-Known Korean Web Portal

The ASEC analysis team has recently discovered a phishing email that impersonates a well-known Korean web portal to collect user credentials. The phishing email demands the users to upgrade the mailbox storage, prompting them to click the link. Upon clicking the link, the user is redirected to the phishing page that prompts the users to enter their password. The figure below shows the subject and the details of the email, and the link redirects the user to the phishing page….

Phishing Script Files Being Distributed by Impersonating Various Groupware

The ASEC analysis team introduced ‘phishing websites targeting Korean email service users’ last year May through the TI analysis report and ASEC blog post. The team showed back then how the attackers leaked user credentials targeting users of NAVER WORKS, MAILPLUG, hiworks, Chollian, and Daum. Files that disguise themselves as company groupware login webpage to leak user account credentials are one of the common phishing types that have been distributed, with slight changes occurring in email title, content, name of…

Infostealer Disguised as Well-Known Korean Web Portal File

The ASEC analysis team has discovered an infostelaer type malware disguised as a file related to a Korean web portal. The team found the NAVER.zip file in the malicious URL used in recent phishing emails with the compressed file including an executable named ‘NaverProtector.exe’. The email with the malicious URL contains information about Kakao account as shown below. When users click the <Lift Protection> button, they are redirected to hxxp://mail2.daum.confirm-pw[.]link/kakao/?email=[email address] and will have their account credentials stolen by the…