Full Report
null MD5 01c466ac5ea1817f23d7bbe5e46fef87 10e7ffbdcf6a3a9cd34ce965efc5e2a7 60de322d3291b416f173d3f543a564fe 63cf524262372fc0e9db338d1d9264ad
Analysis Summary
# Incident Report: NTS Impersonation Phishing Campaign
## Executive Summary
A recent security alert identified a phishing campaign where threat actors impersonated the National Tax Service (NTS) of South Korea. The attack vector centered on delivering malicious content via phishing emails, likely leading to the deployment of malware or credential harvesting, though specific post-compromise actions within this summary are limited. The primary artifacts observed were several malicious file hashes associated with this campaign.
## Incident Details
- **Discovery Date:** March 28, 2025
- **Incident Date:** Occurred *around* March 28, 2025 (based on the report date)
- **Affected Organization:** Not explicitly named, but targets users associated with the National Tax Service (NTS) or related financial/tax matters.
- **Sector:** Government/Taxation services (Impersonated), likely impacting general populace or businesses submitting taxes.
- **Geography:** Implied to be South Korea (due to NTS relevance).
## Timeline of Events
The provided text does not contain a detailed, narrative timeline of an internal breach. It reports on the *detection* of the malicious artifacts associated with the attack vector.
### Initial Access
- **Date/Time:** Not specified (Reported March 28, 2025)
- **Vector:** Phishing Emails impersonating the National Tax Service (NTS).
- **Details:** The phishing emails likely directed recipients to malicious content, potentially related to "Tax Invoices" (세금계산서) or "Hometax" (홈텍스) services, potentially using HTML components.
### Lateral Movement
- Not detailed in the provided summary.
### Data Exfiltration/Impact
- Not detailed in the provided summary. The intent is likely financial fraud or credential theft related to tax information.
### Detection & Response
- **How it was discovered:** Analysis by AhnLab Security Emergency Response Center (ASEC).
- **Response actions taken:** Publication of threat intelligence and IOCs (MD5 hashes).
## Attack Methodology
The scope of this summary primarily covers the initial delivery mechanism:
- **Initial Access:** Phishing Emails (impersonating NTS).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Implied, as phishing often targets credentials (e.g., login details for Hometax).
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Not detailed.
- **Exfiltration:** Not detailed.
- **Impact:** Not detailed, but context implies potential financial fraud or data compromise related to tax filings.
## Impact Assessment
- **Financial:** Unknown.
- **Data Breach:** Unknown types or volume, but contextually related to tax or invoice data.
- **Operational:** Unknown.
- **Reputational:** Damage to the NTS's official communication integrity due to impersonation.
## Indicators of Compromise
*Note: IOCs are directly listed due to the nature of the threat intelligence report and are not defanged as they are hashes, not active network indicators.*
- **Network indicators:** Not listed (only file hashes provided).
- **File indicators (MD5 Hashes):**
- `01c466ac5ea1817f23d7bbe5e46fef87`
- `10e7ffbdcf6a3a9cd34ce965efc5e2a7`
- `60de322d3291b416f173d3f543a564fe`
- `63cf524262372fc0e9db338d1d9264ad`
- **Behavioral indicators:** Use of HTML attachments/links within emails related to NTS/Tax Invoices, potential use of Telegram for C2 or communication (based on tags).
## Response Actions
The documented response action is **Threat Intelligence Dissemination**:
- Publishing the observed MD5 hashes associated with the malware used in the campaign.
- Alerting the public/subscribers via ASEC/AhnLab TIP to the threat vectors involving NTS impersonation.
## Lessons Learned
- **Key takeaways:** Threat actors are actively leveraging official government entities (NTS) and common tax correspondence (e.g., e-Tax Invoices) to create highly convincing phishing lures.
- **What could have been done better:** The summary lacks internal response details, but generally, user training on verifying official communications remains paramount.
## Recommendations
- **Prevention measures for similar incidents:**
1. **Email Gateways:** Enhance filtering for external emails referencing NTS, Hometax, or Tax Invoices that contain suspicious attachments or links.
2. **User Education:** Conduct immediate, focused training sessions on identifying NTS/Tax authority phishing attempts, especially those referencing immediate action or specific documents like tax invoices.
3. **Verification Protocol:** Establish a strict policy for employees to never click links or open attachments in unsolicited financial/tax emails; instead, navigate directly to official portals (e.g., Hometax website).
4. **Infrastructure Scanning:** Scan internal endpoints against the provided MD5 hashes.