en.Wedoany.com Reported - ESTsecurity has discovered a new type of spear-phishing attack where attackers send emails with titles such as "Request for Confirmation of Suspected Personal Information Leak." They first send disguised emails to actual business personnel, build trust through multiple communications, and then induce them to download malicious files. The attack itself is a conventional spear-phishing method, but when the malicious link in the email is blocked by security solutions, the attackers use tactics like "It seems to be a false positive" to reassure the user and trick them into opening the link.

Based on cases detected by ESTsecurity's Security Response Center APT Threat Detection System, attackers first engage in multiple normal email exchanges with specific business personnel to build trust, then induce them to execute malicious files. In the initial attempt, when the malicious link in the email was blocked by the corporate security solution, the attackers reassured the personnel, claiming "Our internal security team found no anomalies; it appears to be a false positive." Subsequently, to bypass antivirus monitoring, the attackers resent the malicious code in the form of a password-protected compressed file. When users decompress and execute a malicious Windows shortcut (LNK) file disguised as a normal document, the system forcibly invokes 32-bit PowerShell in the background, thereby bypassing detection by some security solutions. Users see a normal Excel (XLSX) or PDF customer status document, but system information has been stolen, and additional malicious actions are executed.

To evade detection, attackers used two frameworks. The first leverages the legitimate cloud service Dropbox API as a command and control server, stealing information from the PC and including functionality to detect virtual environment analysis. The second communicates directly with the attacker's own HTTPS server, registering files disguised as updates from a well-known South Korean security software in startup items to ensure persistence and hide commands. After a detailed analysis of three collected malicious samples, ESRC confirmed that they all share the same internal structure and lure documents disguised as customer status, indicating that the same attack group used different tools in the same campaign depending on the situation. Common confirmed characteristics include: sophisticated social engineering involving multiple email exchanges under the guise of personal information leaks; a common infiltration chain using the same initial execution method via LNK files and Korean lure documents; simultaneous use of legitimate cloud and proprietary domains to ensure alternative channels when blocked, operating a multi-command and control (C2) infrastructure; and indicators targeting South Korean organizations, such as the "Pan" series activity identifier and disguises as South Korean security software.

An ESRC official emphasized that this attack avoided suspicion by using the most concerning topic for security personnel—personal information leaks. Even if the sender is an external party and the conversation proceeds naturally, extra caution is needed when executing attachments or links. The official reminded that if a file blocked by a security solution is claimed to be a false positive and resent as a password-protected compressed file, it is a clear attack signal and must never be executed. Actual business personnel should disable the "Hide extensions for known file types" option in Windows Explorer settings and always verify the actual file extension (LNK, EXE, etc.) before execution, cultivating safe operational habits.

This article is compiled by Wedoany. All AI citations must indicate the source as "Wedoany". If there is any infringement or other issues, please notify us promptly, and we will modify or delete it accordingly. Email: news@wedoany.com