Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
Antiy CERT detected a secret theft attack targeting Korea Scholarship Foundation, heavy industry companies and other institutions. Attackers used phishing emails to deliver malicious payloads with the subject of "Requesting Basic Industry Quotations", in order to induce victims to decompress and execute the LokiBot Trojan in the compressed package, resulting in user information disclosure.
Attackers used multiple mails with the same subject to lure in victims and delivered content based on specific interests of the organization.
The subject of "Requesting Basic Industry Quotations" was used by a number of attackers. The suspected main attacker has been identified as the Cyber Foreigner, who has been launching similar attacks against organizations with high interest in industry quotations, such as Korea Scholarship Foundation.
The malicious payload was decompressed and executed in the LokiBot Trojan, which was in turn launched against other targets through drive-by download attacks.
LokiBot is a Trojan that steals personal information and records chat history. To enhance their effectiveness, LokiBot is able to read keystrokes, steal passwords and exfiltrate data. Antiy CERT analyzed the malicious file and found that the Trojan did in fact steal personal information and records chat history.
After analyzing the attack operations by Antiy CERT, Korea Scholars Foundation confirmed that its information system was not infected with malware and no user data was stolen during the recent attack.