Banking Trojan Dropped Through Spoofed Korean CERT Bulletin

Cyber criminals continue to evolve tactics, sometimes going to great lengths to socially engineer people. In this recently observed sample, we find the long-standing and ever-evolving banking Trojan, Gozi using a Korean Cert to trick users into downloading malware. 

Gozi, which has traditionally infected users through macros and exploit kits has been found going after Korean language speakers through Hancom Word Processor (HWP) files. Hancom Office is extremely popular in Korea where it is used alongside, or instead of, Microsoft Office. HWP files have been used extensively by advanced persistent threat (APT) groups to target government, corporate, and academic targets throughout Korea. Given the comparatively esoteric nature of Hanword when compared to Microsoft Word, it is an uncommon delivery mechanism for banking Trojans like Gozi. The HWP file copies the text of a legitimate KrCERT Bulletin, but points to its own embedded file as the solution.[1] 

Figure 1: Dropper in HanWord

The dropper, titled 한글과 컴퓨터 보안패치_.hwp[2], relies on a now common social engineering tactic to entice the user- concerns over cybersecurity. With hacking, breaches, and spies making headlines worldwide, end users are more attentive to warnings of potential threats and are eager to protect themselves. This malicious document claims to offer protection from a potential threat.

Figure 2 Warning to Users.png

Figure 2: Warning to user of vulnerability 

The boxed section above warns of a vulnerability in Hangul Word Processor that could allow hackers to run arbitrary code through a specially crafted document or website. With the user now sufficiently concerned, the document gives them the solution, a “patch” embedded in the document which will do the exact opposite of what they had hoped. 

Figure 3: Warning generated when user tries to execute 'patch' 

 

Figure 4 Process spawned by execution.png

Figure 4: Process spawned by execution of Patch39

The patch is an OLE Package that generates a warning when one attempts to open it. The threat actors hope the document they crafted has sufficiently primed the victim to go ahead, possibly ignore suspicions they may have, and execute. If they do, Patch39 begins its work reaching out for its second stage payload, Gozi. 

Figure 5: Now infected machine attempting to download Gozi’s second stage 

This Gozi example further demonstrates the tenacity and creativity employed by cyber criminals to deceive victims.  In another recent example, we found a campaign that included a notable amount of anti-analysis, anti-virtualization, and obfuscation methods to thwart analysis and evade detection. We can expect these trends to continue with sophistication and cunning as table stakes for entry into cybercrime. 

MD5: 0e0a14571d410281cc07e4a5f110e259

[1] https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=23914

[2] Roughly translated via Google as “Korean computer security patch”

Article Link: https://info.phishlabs.com/blog/banking-trojan-dropped-through-spoofed-korean-cert-bulletin