User information leaked with malicious files using PPT files and macros.
Phishing e-mails disguised as ‘details on the issuance by the National Revenue Service of e-tax invoices’ was sent to an undisclosed number of persons. The attack discovered is a standard spear phishing technique that sends an e-mail to the e-mail receiver with material of interest and induces them to open the malicious file attached.
12:40 GMT, Wednesday, November 25, 2020
However, malicious data in the form of compressed files or MS Word documents have been widely used in the current email spear phishing attacks, whereas this attack has the characteristic of using PPT files, which are PowerPoint documents.
The attacker designed the e-mail address of the sender as if it were a real home address, so that the receiver of the e-mail trusted and opened the attachment. When the PPT file attached to the e-mail is opened by the mail receiver because it is mistaken for a regular tax invoice, the PowerPoint software runs and a ‘security warning’ appears.
The security note warns that the root of the information is untrustworthy and specifies that only if it is trusted can the ‘include macro’ button be pressed.
Nothing appears on the PowerPoint screen if you press the macro button, but in fact, the attacker is ready to run the malicious code set in advance. After that it scans the blank screen and fails to connect to a certain server, so that when the PowerPoint application is stopped, the user does not detect it.
The PowerShell command functions while accessing this server and malicious files are inserted on a fileless basis into the user’s usual PC operation, stealing PC knowledge.
“Jong-Hyun Moon, head of the East Security Security Response Center, said In order to get several tax invoices released at the end of the company’s month, such a spear phishing email attack seems to have emerged.” “Because we use social engineering tactics, before opening an email attachment, you can get into the habit of double-checking whether the file is trustworthy.