Free Phone Consultation For New Clients | CONTACT NOW

Analysis of a Secret Theft Attack Against Multiple Institutions in South Korea

Antiy CERT detected a secret theft attack targeting Korea Scholarship Foundation, heavy industry companies and other institutions. Attackers used phishing emails to deliver malicious payloads with the subject of "Requesting Basic Industry Quotations", in order to induce victims to decompress and execute the LokiBot Trojan in the compressed package, resulting in user information disclosure.

Attackers used multiple mails with the same subject to lure in victims and delivered content based on specific interests of the organization.

The subject of "Requesting Basic Industry Quotations" was used by a number of attackers. The suspected main attacker has been identified as the Cyber Foreigner, who has been launching similar attacks against organizations with high interest in industry quotations, such as Korea Scholarship Foundation.

The malicious payload was decompressed and executed in the LokiBot Trojan, which was in turn launched against other targets through drive-by download attacks.

LokiBot is a Trojan that steals personal information and records chat history. To enhance their effectiveness, LokiBot is able to read keystrokes, steal passwords and exfiltrate data. Antiy CERT analyzed the malicious file and found that the Trojan did in fact steal personal information and records chat history.

After analyzing the attack operations by Antiy CERT, Korea Scholars Foundation confirmed that its information system was not infected with malware and no user data was stolen during the recent attack.

Source: Analysis of a secret theft attack against multiple institutions in South Korea - AlienVault - Open Threat Exchange

Need secure managed IT services in the Greenville, SC, area?