– Collect work emails sent by users, such as sending public reports issuing commendations/requesting confirmation of video edits/invitations to events, and attempt to spread malware by replying to the emails.
– When you click ‘Use Content’ on the attached malicious Excel file, you are infected with malware and attempt to download additional malware.
– ▲Check the sender of emails from unknown sources and refrain from executing attachments/URLs ▲Apply the latest security patches for programs such as OS (operating system), Internet browser (IE, Chrome, Firefox, etc.), Office SW, etc. ▲Maintain the latest version of vaccine and run it in real time Execute surveillance function
AhnLab (CEO Seok-gyun Kang) recently discovered a case of malicious code being distributed in replies to business emails on various topics and urged users to be cautious.
The attacker collected work-related emails in advance on topics such as sending official reports, requesting confirmation of edited versions of videos, and academic event information. Afterwards, the user who sent the email was targeted and a reply email was sent with a compressed file containing a malicious Excel file attached. In particular, the attacker included a threat to disclose information and a request for work in the reply to induce the user to execute the attached file.
There are three types of malicious emails discovered this time. ▲First, in response to an official report email sent by a specific user to issue a commendation, the attacker sent threatening content such as “Shall I show this email to your boss?” and “Check the attached file before the information is disclosed.” listed. ▲Also, he responded to an email sent by another user requesting confirmation of the edited version of the video with the content, “It would be nice if you could check all the data yourself. I attached the file.” ▲In addition, in response to an academic event information email sent by a specific organization, the attacker said, “We have asked you to check the information a week in advance. The message “The file has been copied, please check” was sent to encourage execution of a malicious attachment.
In all three cases, the way the malware operates is the same. If a user inadvertently downloads the attachment of the reply email and runs the malicious Excel file (.xlsm), a message appears saying ‘Click the Use Content button to view the contents.’ If the user is fooled by the message and clicks the ‘Use content’ button at the top of the screen, they are infected with malware.
After infection, the malware can connect to the C&C server* and download additional ransomware, information leakage malware, etc. Currently, the V3 product line is diagnosing the malware (*C&C server: Command & Control server. A server used by attackers to remotely control malware).
In order to reduce damage from such malware, ▲ Prohibit execution of attachments/URLs of emails from unknown sources ▲ Maintain the latest version of antivirus and run real-time monitoring function ▲ Scan files with the latest version of antivirus before executing them ▲ OS (operating system) and Internet browser (IE) , Chrome, Firefox, etc.), Office SW, etc. You must implement essential security rules such as applying the latest security patches.
Seojun Jang, chief researcher of the AhnLab analysis team, said, “This case is characterized by an attacker collecting emails sent by users through various methods and attempting to spread malware by replying to the emails.” He added, “Because it was a reply to a directly sent email, users were “You can be harmed without suspecting it, so to prevent this, you should not send emails or attachments from unknown sources,” he said.
Source: Pangyo Techno Valley Official Newsroom
→ Go to ‘Asia Innovation Hub Pangyo Techno Valley 20