"Thought It Was a Security Alert Email"...Warning Issued Over Malicious MS Impersonation Emails

A cyberattack has been discovered in which emails impersonating Microsoft (MS) security alerts are being used to spread malware to the PCs of users in Korea.

Email Attack Impersonating Microsoft Security Team. Genian.

View original image

On June 15, Korean cybersecurity company Gnions announced that it had recently identified the distribution of the malware 'NarwahlRAT,' which is suspected to be the work of the North Korea-linked hacking group APT37, targeting users in Korea.

This attack was carried out through a spear-phishing email with the subject line "Security Check Notice Due to Repeated Occurrence of One-Time Authentication Codes." Although the sender appeared as the "MS Account Team," it was confirmed that the actual sender was not an official Microsoft account.

The email sought to instill anxiety about the potential for account takeover and misuse of authentication codes, prompting recipients to check the attached security notice. When the recipient saves and unzips the attached file, a file named "Cyber Security Advisory.Ink" in Hangul document format appears. It is named to look like a legitimate document to induce the user to open it, which then installs malware on the device.

Gnions interpreted the use of a folder named "naverwhale" as the working directory by the malware as an attempt to disguise itself as the Naver Whale browser, which is widely used in Korea, thereby specifically targeting Korean users.

The company also noted that the malware processes identification strings related to KakaoTalk in its internal code, suggesting that it may have been created with the Korean user environment in mind.

NarwahlRAT can operate more than 30 different functions, including recording keyboard input, capturing screens, recording audio through the microphone, collecting files from USB storage devices, and executing remote commands, all at the direction of the attacker.

Gnions analyzed that this attack demonstrates a similar structure and technique to the Python-based backdoor attack by the North Korea-linked hacking group APT37, which was publicly disclosed in May last year.

Hot Picks Today

Already Expensive..."I Eat Two Eggs Every Morning—This Is Too Much": Early Heatwave Sparks Egg Price Fears

• "Wow, This Is Addictive": Justin Bieber's Wife Raves About 'Ddungbaratte'... Foreign Tourists Flock to K-Convenience Stores [K-Holic]
• "Exorbitant Food Prices" Beer Costs 30,000 Won per Glass... Locals Outraged Over Record Price Gouging at the World Cup [Current Affairs Show]
• Foods That Make Your Face Less Attractive, According to a Plastic Surgeon... What Ranked Above Ham and Ramen?
• "Getting Your Hair Pulled and Kicked Is Routine... '9 Inmates Packed into 5 Pyeong' Cheongju Women's Prison, the Reality of Sweltering Heat [Reportage]"

Gnions stated, "There is a possibility that similar variants will continue to be utilized in the future," adding, "It is necessary to strengthen behavior-based detection systems."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.