Keypoints
- ASEC reports a recent increase in phishing emails posing as Korean entertainment agencies.
- Attackers lure recipients with fake notices about unauthorized use of images on Facebook and Instagram.
- Clicking the provided link downloads a Python-based infostealer that is disguised to look like a PDF.
- The disguise uses a PDF icon and many spaces in the filename so the “.exe” extension is hidden behind “…”
- Once run, the malware displays a harmless-looking PDF while collecting system, browser, messenger, Steam, and screen-capture data.
- Collected data is exfiltrated to the threat actor’s Telegram chat room.
- Users are advised to avoid executing unknown attachments and to always enable visible file extensions to detect disguised executables.
MITRE Techniques
- [T1056] Input Capture – Malware collects system and user data: ‘Collects system information, browser data, messenger information, and screen captures.’
- [T1036] Masquerading – The threat hides the executable as a PDF by changing the icon and filename spacing: ‘disguising it as a PDF by changing the icon to a PDF and adding numerous spaces in the file name.’
Indicators of Compromise
- [MD5 hash] Sample malicious file hashes reported – 0d2932a7418de348350ef0ac8e8ad3f6, 3ce49df50854f9c1d4b4ac322c06868a, and d6fea1f619099542c84122dd44f35559
- [Domain] Source/reporting site – asec.ahnlab.com (https://asec.ahnlab.com/en/83953/)
AhnLab’s Security Intelligence Center (ASEC) has observed phishing campaigns that impersonate major Korean entertainment agencies, distributing emails that claim the recipient’s images were used without permission in Facebook and Instagram ads. The messages prompt recipients to click a link to “check which photos were used,” and that click initiates the next stage of the attack.
Following the hyperlink, the victim is served a Python-based infostealer that is packaged as a Windows executable but visually presented as a PDF. The attackers achieve this by changing the file icon to a PDF and inserting a long sequence of spaces into the filename so the trailing “.exe” is obscured behind an ellipsis (“…”). This filename manipulation causes many file explorers to hide the real extension unless a user explicitly inspects the full name.
When the malicious file runs, it opens a benign-looking PDF so that the user sees normal content and remains unaware of malicious activity. Meanwhile, the malware collects a broad set of information from the infected host, including system information, browser data, messenger application data, screen captures, and Steam-related information. The harvested data is then transmitted to the attacker via a Telegram chat room controlled by the threat actor.
ASEC highlights several defensive steps to reduce risk. Users should treat unexpected emails and attachments from unknown senders with suspicion and avoid clicking links or running downloaded files. If an attachment is downloaded, do not execute it unless its provenance is verified. Additionally, configuring operating systems to always display file extensions makes it much easier to spot executables masquerading as documents, and users should be wary of any attachment that appears to be a PDF but is actually an EXE.
The report includes three MD5 hashes associated with the observed samples and links to the full advisory and images that demonstrate the phishing message, the filename-obfuscation trick, the displayed PDF, and instructions for showing file extensions in the OS. Read more: https://asec.ahnlab.com/en/83953/