East Security said that special attention is needed as a hacking attack pretending to be an ID transaction contract of a famous domestic portal service is being carried out.
In this attack newly discovered by the East Security Security Response Center (hereinafter referred to as ESRC), the malicious file name is ‘2021-03-03 N company’s non-real name ID GOLD’s transaction contract completed copy.hwp.scr’, and the situation being secretly distributed in Korea is captured. done.
At the end of last year, ESRC is also under the name of ▲all member information and password_xls(4).scr ▲management settlement and all data_xls(3).scr ▲transaction guide_and_price list_application guide_xls3.exe, etc. He explained that a number of similar types of attacks have been reported and are still being discovered.
In such an attack, the file extension appears to be a normal document file, but in reality there are hidden extensions such as executable files (.EXE) and screen savers (.SCR) after document extensions such as Excel (.XLS) and Hangul (.HWP). It uses a typical double-extension camouflage technique.
The double extension name disguise method exploits the fact that the Windows operating system (OS) has’extension name hiding processing’ as the default setting.
On the user’s PC using the Windows default setting, the extensions of the attached files manipulated with double extensions, such as EXE and SCR, are not visible, but are displayed as ‘2021-03-03 N company non-real name ID GOLD’s transaction contract completed version.hwp’, etc. Therefore, it is highly likely to be mistaken for a normal document file.
If you open the file by mistaken it for a normal document without recognizing the hidden file extension, it can lead to potential hacking damage, such as downloading additional malicious codes and leaking data and personal information stored on your PC.
In fact, even in the newly discovered attacks, the circumstances in which the attacker prepared to distribute additional malicious codes were found.
An ESRC official said, “In the case of malicious files used in this attack, the .NET functions were encrypted with the’Crypto Obfuscator’ tool, which is a commercial obfuscation product overseas, so that internal functions such as code analysis interference and vaccine detection bypass are not easily understood.” “As a result of analyzing the inside of the code in detail by disabling the obfuscation function of malicious files in ESRC, it was found that the file storage of the famous chat service Discord was exploited as a waypoint for the purpose of distributing additional malicious files. .
The attacker linked the normal hwp document and the .NET open source-based’AsyncRAT’ malicious agent file to the Discord CDN path, and made it run on the user’s computer with the file name’Microsoft.exe’.
When exposed to the’AsyncRAT’ threat, the attacker can control most functions such as recording the screen of the user’s PC and stealing the contents of the keyboard input by obtaining remote control authority.
Jong-Hyun Moon, director of the ESRC Center of East Security, said, “Since the classic double-extension method of simple tricking is still prevalent, and even the actual infection is successful, it is necessary to always pay attention to the extension of the file delivered by e-mail or messenger. “It is important to have a security habit of changing the Windows folder option so that you can check the file extension name, carefully checking the icon and extension, and accessing it.” [email protected]