Phishing Emails Distributed During Performance Review Season
Remote Control Malware Activated When Downloading or Running Email Attachments
AhnLab recently discovered a phishing email distributing malware disguised as an employee performance report and on December 24 urged users to exercise caution.
According to the case disclosed by AhnLab, the attacker impersonated a corporate HR team and sent an email titled "Employee Performance Report." This phishing attack targeted the year-end and New Year period, when HR-related notification emails become more frequent, exploiting a time when employees tend to be less vigilant.
The attacker attached a file to the email and included a message inside the file stating, "All names marked in red indicate employees scheduled for dismissal," prompting recipients to check the contents. The email contained an attachment named "staff record pdf," but the actual file extension ".rar" was hidden to make it appear as a regular PDF document.
If a user opens the attachment, a compressed file is downloaded, and running the executable file (.exe) inside triggers the malware. This malware was analyzed as a remote control tool capable of various malicious activities, such as capturing PC screens and keystrokes, accessing the webcam and microphone, and stealing information stored in web browsers.
To prevent phishing email damage, AhnLab emphasized the importance of following basic security guidelines: verifying the sender's email address and domain validity; refraining from opening attachments or URLs in emails from unknown sources; applying the latest security patches to PCs, operating systems, software, and browsers; and enabling real-time antivirus monitoring.
Moonju Lim, Manager of the AhnLab Analysis Team who analyzed this case, said, "During the year-end and New Year period, phishing attacks exploiting timely issues such as performance evaluations, organizational restructuring, salary negotiations, bonuses, and annual leave may increase. It is important to carefully check the sender and contents of emails and to share suspicious cases with colleagues to prevent damage."
Meanwhile, AhnLab provides updates on various phishing attack trends, security advisories, and indicators of compromise (IoCs), including this case, through its next-generation threat intelligence platform, AhnLab TIP. In addition, the V3 product line and the sandbox-based APT response solution, AhnLab MDS, offer detection capabilities for malicious files distributed via these emails.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
